Information Security (IS) is currently making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models. As the cloud comes to the picture, this raises new questions to the board of directors, is our data secure up there? do we have control? I heard that if we move to the cloud we are secure, is that true? What about privacy, compliance, and data regulation? Cloud security is a shared responsibility, what does that mean? the list of questions goes on and on… For this reason, it is imperative that before adopting cloud computing, organizations must first understand the security considerations that are inherited by the cloud computing model. These considerations must be revised before adopting—ideally during the planning process.
Security in the realm of information technology has been fascinating to me for a long time. After passing the Swiss federal exam as an ICT Security Expert with an academic diploma, I decided to gain more experience with Cloud Security. Starting this journey, I decided to go with neutral vendor certifications for Cloud Security which is the Certificate of Cloud Security Knowledge (CCSK) by Cloud Security Alliance (CSA), and the Certified Cloud Security Professional (CCSP) certification by the International Information System Security Certification Consortium (ISC)2. I believe in neutral vendors, and I don’t trust marketing. The good news is, the knowledge that you acquire by attaining one of these certificates will help you to apply and secure your cloud workloads whether it’s running on Microsoft Azure, Google GCP, and Amazon AWS.
As a matter of fact, here is the Cloud Security Alliance (CSA) – Security Trust Assurance and Risk (STAR) Registry for Microsoft Azure. You can find the same certification and attestation for different cloud providers as well. The STAR program is based on a technical work done within the CSA – Open Certification Framework (OCF), Cloud Controls Matrix (CCM), and Consensus Assessments Initiative Questionnaire (CAIQ) working groups.
For this post, I will focus more on the CCSK (known as the grand-daddy of cloud security certifications which was released back in 2011), and in the next blog post, I will share with you my experience for the CCSP certification which was released back in 2015 and requires 5 years experience in IT. CCSP is even harder compare to CCSK, so if you want to follow this path, I recommend you to start first with CCSK and then with CCSP, because attaining the CCSK certification first can also be substituted as one year of cloud security experience towards CCSP.
The big difference between both certifications is the following: CCSK does not require to collect continuing professional education (CPE) points to keep your certification active, and you don’t have to pay renewal/membership fees as required for CCSP ($100/year, 90 CPE/3 years). If you are interested to have more details about both certifications, then I highly recommend checking the comparison article details here.
I am so happy and grateful now that I passed the CCSK exam on the first attempt. In this article, I will share with you how to prepare and pass the Certificate of Cloud Security Knowledge (CCSK version 4) by Cloud Security Alliance (CSA) successfully.
CCSK exam overview
In this exam, you will receive 60 multiple-choice questions, and the total time for this exam is 90 minutes. The minimum passing score for this exam is 80% (very high), so you should answer at least 48 questions right to pass it. The good news is, this exam is an open-book and you can do it from home, but don’t underestimate the difficulty of this exam because you will have about 90 seconds per question to answer. That is not enough to look up all questions in the books. I’ve seen that the passing rate is around 62%. Time is very crucial as many think that this exam can be attended at home by keeping the required material open to read and search which is a waste of time in many cases as you may search and answer the 50% questions but will fail to attempt the remaining 50% as the time lapses.
The exam price costs $395, the good news is, Cloud Security Alliance is giving a 20% discount through May 31st, 2020. If you do not pass the exam… you will receive two opportunities to pass the exam (only 2 tries). While you may take your second attempt as soon as you wish, however, I highly recommend studying the source material again prior to taking the test. Because of question randomization, you may see a very different exam with mostly different questions. Once you attain the CCSK certification, there is no maintenance activity or fee to pay to renew it.
Skills measured on this exam
This exam measures your ability to know and understand the 14 domains listed below based on the latest updates from the Cloud Security Alliance (CCSK V4).
Below is the information that how I received the examination questions across these domains, but of course this may vary slightly case by case. The questions do pretty much match the list of domains and skills measured below:
Governing in the Cloud
DOMAIN 1: Cloud Computing Concepts and Architectures (6 questions)
- Definitions of Cloud Computing
- Service Models
- Deployment Models
- Reference and Architecture Model
- Cloud Security Scope, Responsibilities, and Models
- Areas of Critical Focus in Cloud Security
DOMAIN 2: Governance and Enterprise Risk Management (2 questions)
- Tools of Cloud Governance
- Enterprise Risk Management in the Cloud
- Effects of various Service and Deployment Models
- Cloud Risk Trade-Offs and Tools
DOMAIN 3: Legal Issues, Contracts, and Electronic Discovery (3 questions)
- Legal Frameworks Governing Data Protection and Privacy
- Cross-Border Data Transfer
- Regional Considerations
- Contracts and Provider Selection
- Due Diligence
- Third-Party Audits and Attestations
- Electronic Discovery
- Data Custody
- Data Preservation
- Data Collection
- Response to a Subpoena or Search Warrant
DOMAIN 4: Compliance and Audit Management (3 questions)
- Compliance in the Cloud
- Compliance impact on cloud contracts
- Compliance scope
- Compliance analysis requirements
- Audit Management in the Cloud
- Right to audit
- Audit scope
- Auditor requirements
DOMAIN 5: Information Governance (2 questions)
- Governance Domains
- Six phases of the Data Security Life-cycle and their key elements
- Data Security Functions, Actors and Controls
Operating in the Cloud
DOMAIN 6: Management Plane and Business Continuity (4 questions)
- Business Continuity and Disaster Recovery (BCDR) in the Cloud
- Architect for Failure
- Management Plane Security
DOMAIN 7: Infrastructure Security (6 questions)
- Cloud Network Virtualization
- Security Changes With Cloud Networking
- Challenges of Virtual Appliances
- Software-Defined Network (SDN) Security Benefits
- Micro-segmentation and the Software-Defined Perimeter (SDP)
- Hybrid Cloud Considerations
- Cloud Compute and Workload Security
DOMAIN 8: Virtualization and Containers (5 questions)
- Mayor Virtualization Categories
DOMAIN 9: Incident Response (4 questions)
- Incident Response (IR) Life-cycle
- How the Cloud Impacts Incident Response (IR)
DOMAIN 10: Application Security (6 questions)
- Opportunities and Challenges
- Secure Software Development Life-cycle
- How Cloud Impacts Application Design and Architectures
- The Rise and Role of DevOps
DOMAIN 11: Data Security and Encryption (6 questions)
- Data Security Controls
- Cloud Data Storage Types
- Managing Data Migrations to the Cloud
- Securing Data in the Cloud
DOMAIN 12: Identity, Entitlement and Access Management (3 questions)
- Identity and Access Management (IAM) Standards for Cloud Computing
- Managing Users and Identities
- Authentication and Credentials
- Entitlement and Access Management
DOMAIN 13: Security as a Service (2 questions) – SECaaS
- Potential Benefits and Concerns of SECaaS
- Major Categories of Security as a Service Offerings
DOMAIN 14: Related Technologies (1 question)
- Big Data
- Internet of Things (IoT)
- Server-less Computing
CCM – Cloud Controls Matrix
This is considered an extra domain. The Cloud Control Matrix is a security and compliance control framework that is cloud-specific and cross-references for multiple frameworks, including PCI-DSS, ISO/IEC 27001, HIPAA, COBIT 5, etc.
The CCM lists more than a hundred controls, most of them specifically for cloud computing. The CCSK tests for a basic understanding of the structure of the CCM.
ENISA – European Union Agency for Cybersecurity Recommendations
This is also considered an extra domain. The ENISA document lists 35 risk categories, most of them are cloud-related. Some industry regulations specifically refer to these categories such as national banks, government organizations, etc.
The Top (8) Risks of ENISA
- Loss of Governance
- Lock-In (i.e. vendor lock-in)
- Isolation Failure
- Compliance Risks
- Management Interface Compromise
- Data Protection
- Insecure or Incomplete Data Deletion
- Malicious Insider
Cloud Security Alliance (CSA) has also introduced a CCSK Plus course. What is CCSK Plus?
CCSK Plus has a set of labs that will show you how to secure an application workload based on Amazon AWS IaaS infrastructure. The labs are distributed as follows:
- Lab 1: Core account security (how to secure the management plan).
- Lab 2: Identity and Access Management (IAM) and monitoring.
- Lab 3: Network and instance security.
- Lab 4: Encryption and storage.
- Lab 5: Application security and federated identity management.
- Lab 6: Select a cloud provider based on the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).
Unfortunately, at the time of this writing, there is no CCSK lab that will teach you how to secure Microsoft Azure workloads. I hope that the Cloud Security Alliance will look at Azure labs as well besides AWS security.
Exam Target Audience
The CCSK certification demonstrates that the candidate understands the Body of Knowledge well enough. This certification is targeted for individuals only and not for a service provider or company.
Attaining the CCSK Certification will help you:
- Validate your competence and knowledge in cloud security domains.
- Demonstrate your technical knowledge, skills, and abilities to effectively develop a holistic cloud security program.
- Advance to the next level in your career or get a job in the fast-growing cloud security market.
- Gain access to valuable career resources, such as networking and ideas exchange with peers.
Lessons Learned and Exam Preparation
To prepare and pass this exam successfully, I highly recommend the following based on my experience in passing this exam. The CCSK body of knowledge is based on the following 3 main documents which are free to download and can also be found below:
- The Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 by the Cloud Security Alliance.
- The Cloud Security Alliance has also produced the Cloud Controls Matrix (CCM) v3.0.1.
- The European Union Agency for Cybersecurity Recommendations (ENISA) has produced Cloud Computing, Benefits, risks, and recommendations for information security.
- Free CCSK v4 eBook guidance in 60 minutes download link by CCSK Cloud Security.
Together these are a broad foundation of knowledge about Cloud Security, with topics ranging from architecture, governance, compliance, operations, encryption, virtualization, containers, and much more. I recommend you to read those documents at least 3 to 4 times before taking the exam!
As with any test, the working is weird, but if you are familiar with the material and know where to check in the guidance, you should be fine.
There is a lot of training available on the market whether self-study or instructor led-training that will help you to prepare for this exam. I will list here all the resources available so you can choose based on your preferred option.
If you are kind of person that you like to read books and prepare for this exam, I highly recommend to pick one of below books:
- CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide. This effective study guide provides 100% coverage of every topic on the challenging CCSK exam from the Cloud Security Alliance.
- The Fast Track CCSK Certification V4.0: The Ultimate Guide for Cloud Certificate by Rachid Echouah.
Self-Study CCSK Course
There is on-demand online training (recorded videos) where you can choose one of the below options:
- Cloud Security Expert – Get CCSK Certified by CCSKCloudSecurity.com
- Cloud and Security Architecture v4 by ClubCloudComputing.com
- Certificate of Cloud Security Knowledge including exam token by Cloud Security Alliance
- CCSK: Certificate of Cloud Security Knowledge (On-Demand) by intrinsecsecurity.com
Self-Study CCSK Plus Course
If you want advanced self-study online training including hands-on labs, you can choose one of the below options:
- Cloud Security Expert Plus – Get CCSK Certified by CCSKCloudSecurity.com
- Certificate of Cloud Security Knowledge. All official courseware, and more by ClubCloudComputing.com
Instructor-Led CCSK Course
For instructor-led training, you have a couple of options virtual or physical, however, with the current pandemic situation as of this writing, the virtual instructor-led course makes more sense.
- Virtual Instructor-Led Course by Cloud Security Alliance. This training includes CCSK Plus labs and exam token
- Official CSA Certified Cloud Security Knowledge (CCSK) Foundation – live online instructor-led sessions by SIGS Switzerland
- Official CSA Certified Cloud Security Knowledge (CCSK) Plus – live online instructor-led sessions by SIGS Switzerland
- CCSK Plus | Certificate of Cloud Security Knowledge v4.1 by intrinsecsecurity.com
- CCSK Foundation | Certificate of Cloud Security Knowledge v4.1 by intrinsecsecurity.com
If you would like to practice your knowledge before taking this exam which I highly recommend, then you choose one of below option:
- Certificate of Cloud Security Knowledge (CCSK) v4 Practice Tests by skillcert pro.
- CCSK(v4.0)-Certificate of Cloud Security Knowledge Tests by udemy.
- Cloud Security Knowledge (CCSK) v4 by whizlabs.
Please note that these questions are to self-assessment purpose ONLY and not the examination dumps. Do not expect more than 5% of questions in real exam from these. But this practice questions can help you prepare for the exam by building your confidence on the required domain and where to improve if needed.
Last but not least, don’t wait too long after choosing any of the training options mentioned above to take your test.
As soon as you submit your exam, you will receive the certificate details (Passed or Failed), and then you can immediately download your certificate in PDF format as shown below.
If you are planning to take this exam… I wish you all the best and Happy Studying!!!
Thank you for reading my blog.
If you have any questions or feedback, please leave a comment.