In This Article show

Introduction

Information Security (IS) is currently making a serious contribution to business development by ensuring not only reliable operations but also new opportunities for qualitative differentiation. It is increasingly seen as a value creator or facilitator of operations in new business models. As the cloud comes into the picture, this raises new questions to the board of directors, is our data secure up there? do we have control? I heard that if we move to the cloud we are secure, is that true? What about privacy, compliance, and data regulation? Cloud security is a shared responsibility, what does that mean? the list of questions goes on and on… For this reason, it is imperative that before adopting cloud computing, organizations must first understand the security considerations that are inherited by the cloud computing model. These considerations must be revised before adopting—ideally during the planning process.

Security in the realm of information technology has been fascinating to me for a long time. After passing the Swiss federal exam as an ICT Security Expert with an academic diploma, I decided to gain more experience with Cloud Security. Starting this journey, I decided to go with neutral vendor certifications for Cloud Security which is the Certificate of Cloud Security Knowledge (CCSK) by Cloud Security Alliance (CSA), and the Certified Cloud Security Professional (CCSP) certification by the International Information System Security Certification Consortium (ISC)2. I believe in vendor-neutral certifications, and I don’t trust marketing. The good news is, the knowledge that you acquire by attaining one of these certificates will help you to apply and secure your cloud workloads whether it’s running on Microsoft Azure, Google GCP, and Amazon AWS.

As a matter of fact, here is the Cloud Security Alliance (CSA) – Security Trust Assurance and Risk (STAR) Registry for Microsoft Azure. You can find the same certification and attestation for different cloud providers as well. The STAR program is based on technical work done within the CSA – Open Certification Framework (OCF), Cloud Controls Matrix (CCM), and Consensus Assessments Initiative Questionnaire (CAIQ) working groups.

For this post, I will focus more on the CCSK (known as the grand-daddy of cloud security certifications which was released back in 2011), and in the next blog post, I will share with you my preparation experience for the CCSP certification which was released back in 2015 and requires 5 years experience in IT. CCSP is even harder compare to CCSK, so if you want to follow this path, I recommend you to start first with CCSK and then with CCSP, because attaining the CCSK certification first can also be substituted as one year of cloud security experience towards CCSP.

The big difference between both certifications is the following: CCSK does not require to collect continuing professional education (CPE) points to keep your certification active, and you don’t have to pay renewal/membership fees as required for CCSP ($125/year, 90 CPE/3 years). If you are interested to have more details about both certifications, then I highly recommend checking the comparison article details here.

After 3 months of preparation, I am so happy and grateful now that I passed the CCSK exam on the first attempt. In this article, I will share with you how to prepare and pass the Certificate of Cloud Security Knowledge (CCSK version 4) by Cloud Security Alliance (CSA) successfully.

CCSK exam overview

In this exam, you will receive 60 multiple-choice questions, and the total time for this exam is 90 minutes. The minimum passing score for this exam is 80% (very high), so you should answer at least 48 questions right to pass it. The good news is, this exam is an open-book and you can do it from home, but don’t underestimate the difficulty of this exam because you will have about 90 seconds per question to answer. That is not enough to look up all questions in the books. I’ve seen that the passing rate is around 62%. Time is very crucial as many think that this exam can be attended at home by keeping the required material open to read and search which is a waste of time in many cases as you may search and answer the 50% questions but will fail to attempt the remaining 50% as the time lapses.

The exam price costs $395, the good news is, Cloud Security Alliance is giving a 20% discount through May 31st, 2020. If you do not pass the exam… you will receive two opportunities to pass the exam (only 2 tries). While you may take your second attempt as soon as you wish, however, I highly recommend studying the source material again prior to taking the test. Because of question randomization, you may see a very different exam with mostly different questions. Once you attain the CCSK certification, there is no maintenance activity or fee to pay to renew it.

Skills measured on this exam

This exam measures your ability to know and understand the 14 domains listed below based on the latest updates from the Cloud Security Alliance (CCSK V4).

Below is the information that how I received the examination questions across these domains, but of course this may vary slightly case by case. The questions do pretty much match the list of domains and skills measured below:

Governing in the Cloud

DOMAIN 1: Cloud Computing Concepts and Architectures (6 questions)

Definitions of Cloud Computing
- Service Models
- Deployment Models
- Reference and Architecture Model
Cloud Security Scope, Responsibilities, and Models
Areas of Critical Focus in Cloud Security

DOMAIN 2: Governance and Enterprise Risk Management (2 questions)

Tools of Cloud Governance
Enterprise Risk Management in the Cloud
Effects of various Service and Deployment Models
Cloud Risk Trade-Offs and Tools

DOMAIN 3: Legal Issues, Contracts, and Electronic Discovery (3 questions)

Legal Frameworks Governing Data Protection and Privacy
- Cross-Border Data Transfer
- Regional Considerations
Contracts and Provider Selection
- Contracts
- Due Diligence
- Third-Party Audits and Attestations
Electronic Discovery
- Data Custody
- Data Preservation
- Data Collection
- Response to a Subpoena or Search Warrant

DOMAIN 4: Compliance and Audit Management (3 questions)

Compliance in the Cloud
- Compliance impact on cloud contracts
- Compliance scope
- Compliance analysis requirements
Audit Management in the Cloud
- Right to audit
- Audit scope
- Auditor requirements

DOMAIN 5: Information Governance (2 questions)

Governance Domains
Six phases of the Data Security Life-cycle and their key elements
Data Security Functions, Actors and Controls

Operating in the Cloud

DOMAIN 6: Management Plane and Business Continuity (4 questions)

Business Continuity and Disaster Recovery (BCDR) in the Cloud
Architect for Failure
Management Plane Security

DOMAIN 7: Infrastructure Security (6 questions)

Cloud Network Virtualization
Security Changes With Cloud Networking
Challenges of Virtual Appliances
Software-Defined Network (SDN) Security Benefits
Micro-segmentation and the Software-Defined Perimeter (SDP)
Hybrid Cloud Considerations
Cloud Compute and Workload Security

DOMAIN 8: Virtualization and Containers (5 questions)

Mayor Virtualization Categories
Network
Storage
Containers

DOMAIN 9: Incident Response (4 questions)

Incident Response (IR) Life-cycle
How the Cloud Impacts Incident Response (IR)

DOMAIN 10: Application Security (6 questions)

Opportunities and Challenges
Secure Software Development Life-cycle
How Cloud Impacts Application Design and Architectures
The Rise and Role of DevOps

DOMAIN 11: Data Security and Encryption (6 questions)

Data Security Controls
Cloud Data Storage Types
Managing Data Migrations to the Cloud
Securing Data in the Cloud

DOMAIN 12: Identity, Entitlement and Access Management (3 questions)

Identity and Access Management (IAM) Standards for Cloud Computing
Managing Users and Identities
Authentication and Credentials
Entitlement and Access Management

DOMAIN 13: Security as a Service (2 questions) – SECaaS

Potential Benefits and Concerns of SECaaS
Major Categories of Security as a Service Offerings

DOMAIN 14: Related Technologies (1 question)

Big Data
Internet of Things (IoT)
Mobile
Server-less Computing

CCM – Cloud Controls Matrix

This is considered an extra domain. The Cloud Control Matrix is a security and compliance control framework that is cloud-specific and cross-references for multiple frameworks, including PCI-DSS, ISO/IEC 27001, HIPAA, COBIT 5, etc.

The CCM lists more than a hundred controls, most of them specifically for cloud computing. The CCSK tests for a basic understanding of the structure of the CCM.

ENISA – European Union Agency for Cybersecurity Recommendations

This is also considered an extra domain. The ENISA document lists 35 risk categories, most of them are cloud-related. Some industry regulations specifically refer to these categories such as national banks, government organizations, etc.

The Top (8) Risks of ENISA

Loss of Governance
Lock-In (i.e. vendor lock-in)
Isolation Failure
Compliance Risks
Management Interface Compromise
Data Protection
Insecure or Incomplete Data Deletion
Malicious Insider

CCSK Plus

Cloud Security Alliance (CSA) has also introduced a CCSK Plus course. What is CCSK Plus?

CCSK Plus has a set of labs that will show you how to secure an application workload based on Amazon AWS IaaS infrastructure. The labs are distributed as follows:

Lab 1: Core account security (how to secure the management plan).
Lab 2: Identity and Access Management (IAM) and monitoring.
Lab 3: Network and instance security.
Lab 4: Encryption and storage.
Lab 5: Application security and federated identity management.
Lab 6: Select a cloud provider based on the Cloud Controls Matrix (CCM) and Consensus Assessments Initiative Questionnaire (CAIQ).

Unfortunately, at the time of this writing, there is no CCSK lab that will teach you how to secure Microsoft Azure workloads. I hope that the Cloud Security Alliance will look at Azure labs as well besides AWS security.

The good news is, most of the principles that you will learn with the CCSK Plus course actually apply to Google Cloud Platform (GCP), Microsoft Azure, and Open Stack as well.

Exam Target Audience

The CCSK certification demonstrates that the candidate understands the Body of Knowledge well enough. This certification is targeted for individuals only and not for a service provider or company.

Attaining the CCSK Certification will help you:

Validate your competence and knowledge in cloud security domains.
Demonstrate your technical knowledge, skills, and abilities to effectively develop a holistic cloud security program.
Advance to the next level in your career or get a job in the fast-growing cloud security market.
Gain access to valuable career resources, such as networking and ideas exchange with peers.

Lessons Learned and Exam Preparation

To prepare and pass this exam successfully, I highly recommend the following based on my experience in passing this exam. The CCSK body of knowledge is based on the following 3 main documents which are free to download and can also be found below:

The Security Guidance for Critical Areas of Focus in Cloud Computing v4.0 by the Cloud Security Alliance.
The Cloud Security Alliance has also produced the Cloud Controls Matrix (CCM) v3.0.1.
The European Union Agency for Cybersecurity Recommendations (ENISA) has produced Cloud Computing, Benefits, risks, and recommendations for information security.
Free CCSK v4 eBook guidance in 60 minutes download link by CCSK Cloud Security.

Together these are a broad foundation of knowledge about Cloud Security, with topics ranging from architecture, governance, compliance, operations, encryption, virtualization, containers, and much more. I recommend you to read those documents at least 3 to 4 times before taking the exam!

As with any test, the working is weird, but if you are familiar with the material and know where to check in the guidance, you should be fine.

There is a lot of training available on the market whether self-study or instructor led-training that will help you to prepare for this exam. I will list here all the resources available so you can choose based on your preferred option.

Books

If you are kind of person that you like to read books and prepare for this exam, I highly recommend to pick one of below books:

CCSK Certificate of Cloud Security Knowledge All-in-One Exam Guide. This effective study guide provides 100% coverage of every topic on the challenging CCSK exam from the Cloud Security Alliance.
The Fast Track CCSK Certification V4.0: The Ultimate Guide for Cloud Certificate by Rachid Echouah.

Self-Study CCSK Course

There is on-demand online training (recorded videos) where you can choose one of the below options:

Self-Study CCSK Plus Course

If you want advanced self-study online training including hands-on labs, you can choose one of the below options:

Instructor-Led CCSK Course

For instructor-led training, you have a couple of options virtual or physical, however, with the current pandemic situation as of this writing, the virtual instructor-led course makes more sense.

Practice Test

If you would like to practice your knowledge before taking this exam which I highly recommend, then you choose one of below option:

Please note that these questions are to self-assessment purpose ONLY and not the examination dumps. Do not expect more than 5% of questions in real exam from these. But this practice questions can help you prepare for the exam by building your confidence on the required domain and where to improve if needed.

Last but not least, don’t wait too long after choosing any of the training options mentioned above to take your test.

Certificate

As soon as you submit your exam, you will receive the certificate details (Passed or Failed), and then you can immediately download your certificate in PDF format as shown below.