CCSK Certificate of Cloud Computing Knowledge - overview
Teleseminar June 26, 2014
By Dr. Peter HJ van Eijk
Dr Peter HJ van Eijk
One of the world’s most experienced independent cloud
trainers; Delivered worldwide to 100s of students
Certified trainer for CSA “Certificate of Cloud Security
Author of “Cloud Business Essentials”
Author and Master trainer for “CompTIA Cloud Essentials”
Master Trainer for “Virtualization Essentials”
Worked earlier at Deloitte, EDS and University of Twente (a.o)
History of CCSK
• Cloud adoption is unavoidable
• Security is listed as the number 1 obstacle to
cloud adoption, and for good reason
• Even though cloud computing is a form of
outsourcing, its characteristics have a new and
very important impact on the security posture
and the management of risks.
• The Cloud Security Alliance (CSA) (founded in
2008) is a not-for-profit organization with a
mission to promote the use of best practices for
providing security assurance within Cloud
Computing, and to provide education on the uses
of Cloud Computing to help secure all other
forms of computing.
• It is led by a broad coalition of industry
practitioners, corporations, associations and
other key stakeholders.
• Membership is free for professionals.
Cloud Security Guidance
• The CSA leads volunteer efforts to produce
best practices documents.
• “Security Guidance for Critical Areas of Focus
in Cloud Computing V3.0” is the most
important document CSA has produced.
• Additionally, ENISA (EU Agency) has produced
“Cloud Computing, Benefits, risks and
recommendations for information security.
• CCSK tests knowledge of these documents.
Certificate of Cloud Security Knowledge
• The CCSK is an examination testing for a broad
foundation of knowledge about cloud security,
with topics ranging from architecture,
governance, compliance, operations,
encryption, virtualization and much more.
• CCSK was first released by CSA in 2010
• Thousands of IT and security professionals
have obtained the CCSK.
• CCSK is the basis for many consumer/vendor
discussions around risk and assurance, and
starts to become required in certain segments
• CIO.com listed CCSK as #1 on the list of Top
Ten Cloud Computing Certifications
Contents of CCSK
• The body of knowledge is divided in 15
domains, which we will briefly introduce in
• The exam has questions for each domain.
• The domains overlap and cross reference at
various points, and a significant portion is
managerial rather than technical
Domain 1. Cloud Architecture
• Domain 1 introduces the essential
characteristics of cloud computing, service
and deployment models, largely based on the
NIST definitions and the way it changes
• Sample question (from CSA website): What are
the five essential characteristics of cloud
Domain 2. Governance and Enterprise
• Domain 2 describes how cloud computing can
be embedded in existing governance and risk
management, so as to maximally align with
• Sample question: The level of attention and
scrutiny paid to enterprise risk assessments
should be directly related to what?
Domain 3. Legal and Electronic
• Domain 3 describes how jurisdiction, contract
law and other legal requirements play out in
the context of cloud computing.
• Sample question: In the majority of data
protection laws, when the data is transferred
to a third party custodian, who is ultimately
responsible for the security of the data?
Domain 4. Compliance and Audit
• Domain 4 elaborates on compliance
obligations (such as industry regulations) and
how these can be validated by audits
• Sample question: What is the most important
reason for knowing where the cloud service
provider will host the data?
Domain 5. Information Management
and data security
• Domain 5 gives a number of models to apply
to storage technology, as well as data life cycle
and ways of controlling information flow
• Sample question: What are the six phases of
the data security lifecycle?
Domain 6. Portability and
• Domain 6 discusses some considerations
around deploying multiple cloud solutions and
• Sample question: Why is the size of data sets a
consideration in portability between cloud
Domain 7. Traditional Security, BCM,
• Domain 7 elaborates on traditional data
center security, the physical side of cloud
computing so to say, including human
• Sample question: What are the four D's of
Domain 8. Data Center Operations
• Domain 8 extends domain 7 by discussing
• Sample question: In which type of
environment is it impractical to allow the
customer to conduct their own audit, making
it important that the data center operators are
required to provide auditing for the
Domain 9. Incident Response
• Domain 9 elaborates on the way incident
response processes change when IT resources
interact in real-time across multiple providers
• Sample question: What measures could be
taken by the cloud service provider (CSP) that
might reduce the occurrence of application
Domain 10. Application Security
• Domain 10 discusses risks and control
adaptations from the application architecture
and implementation perspective.
• Sample question: how should an SDLC be
modified to address application security in a
Cloud Computing environment?
Encryption and Key Management
• Domain 11 describes multiple encryption use
cases in cloud environments, as well as its
implications on key management
• Sample question: what is the most significant
reason that customers are advised to maintain
in-house key management?
Identity and Access Management
• Domain 12 describes how federated identity
and access management will enable secure
• Sample question: What two types of
information will cause additional regulatory
issues for all organizations if held as an aspect
of an Identity?
Domain 13. Virtualization
• Domain 13 describes the risks that
virtualization technology brings.
• Sample question: Why do blind spots occur in
a virtualized environment, where network-
based security controls may not be able to
monitor certain types of traffic?
Domain 14. Security as a Service
• Domain 14 describes opportunities and
concerns around using cloud services for
implementing security controls.
• Sample question: When deploying Security as
a Service in a highly regulated industry or
environment, what should both parties agree
on in advance and include in the SLA?
• The ENISA document lists 35 risk categories,
mostly cloud related. Some industry
regulations specifically refer to these.
• Sample question: Economic Denial of Service
(EDOS), refers to..
Relation with CCM
• The Cloud Controls Matrix is a security and
compliance control framework
• Cloud specific, cross-references multiple
frameworks, including PCI-DSS, ISO 27001,
• Controls match “Guidance” recommendations
• Basis for STAR certification of providers
The CCSK exam
• The CCSK examination is a timed, multiple choice
examination you take online. The examination
consists of 60 multiple choice questions selected
randomly from our question pool, and must be
completed within 90 minutes. A participant must
correctly answer 80% of the questions to receive
a passing score. Because the exam is online, it is
• You get two tries
Studying for CCSK
• Study the documents
• Learn to search them
• There are only a few sample questions out
• Consider taking a course; most attendants
pass the test
• For practical background:
– Visit http://www.clubcloudcomputing.com
– Subscribe to membership site.
What do you need to get CCSK
Please use chat box now.