The document provides an overview of the Certificate of Cloud Security Knowledge (CCSK) certification. It discusses the history and purpose of the CCSK, which was created by the Cloud Security Alliance to promote best practices for security in cloud computing. The CCSK certification tests knowledge across 15 domains related to cloud security and is intended to help both consumers and vendors discuss security risks and assurances. To become certified, candidates must pass an online multiple choice exam that covers all domains and must be completed within 90 minutes with a score of 80% or higher.

1. CCSK Overview
Teleseminar June 26, 2014
By Dr. Peter HJ van Eijk

2. About me
Dr Peter HJ van Eijk
One of the world’s most experienced independent cloud
trainers; Delivered worldwide to 100s of students
Certified trainer for CSA “Certificate of Cloud Security
Knowledge” (CCSK)
Author of “Cloud Business Essentials”
Author and Master trainer for “CompTIA Cloud Essentials”
Master Trainer for “Virtualization Essentials”
Worked earlier at Deloitte, EDS and University of Twente (a.o)

3. History of CCSK
• Cloud adoption is unavoidable
• Security is listed as the number 1 obstacle to
cloud adoption, and for good reason
• Even though cloud computing is a form of
outsourcing, its characteristics have a new and
very important impact on the security posture
and the management of risks.

4. • The Cloud Security Alliance (CSA) (founded in
2008) is a not-for-profit organization with a
mission to promote the use of best practices for
providing security assurance within Cloud
Computing, and to provide education on the uses
of Cloud Computing to help secure all other
forms of computing.
• It is led by a broad coalition of industry
practitioners, corporations, associations and
other key stakeholders.
• Membership is free for professionals.

5. Cloud Security Guidance
• The CSA leads volunteer efforts to produce
best practices documents.
• “Security Guidance for Critical Areas of Focus
in Cloud Computing V3.0” is the most
important document CSA has produced.
• Additionally, ENISA (EU Agency) has produced
“Cloud Computing, Benefits, risks and
recommendations for information security.
• CCSK tests knowledge of these documents.

6. CCSK:
Certificate of Cloud Security Knowledge
• The CCSK is an examination testing for a broad
foundation of knowledge about cloud security,
with topics ranging from architecture,
governance, compliance, operations,
encryption, virtualization and much more.

7. • CCSK was first released by CSA in 2010
• Thousands of IT and security professionals
have obtained the CCSK.
• CCSK is the basis for many consumer/vendor
discussions around risk and assurance, and
starts to become required in certain segments
• CIO.com listed CCSK as #1 on the list of Top
Ten Cloud Computing Certifications
(http://www.cio.com/slideshow/detail/129043#slide2)

8. Contents of CCSK
• The body of knowledge is divided in 15
domains, which we will briefly introduce in
this webinar.
• The exam has questions for each domain.
• The domains overlap and cross reference at
various points, and a significant portion is
managerial rather than technical

9. Domain 1. Cloud Architecture
• Domain 1 introduces the essential
characteristics of cloud computing, service
and deployment models, largely based on the
NIST definitions and the way it changes
security responsibilities.
• Sample question (from CSA website): What are
the five essential characteristics of cloud
computing?

10. Who runs it?
You choose
YouThey

11. Domain 2. Governance and Enterprise
risk
• Domain 2 describes how cloud computing can
be embedded in existing governance and risk
management, so as to maximally align with
business objectives.
• Sample question: The level of attention and
scrutiny paid to enterprise risk assessments
should be directly related to what?

12. Domain 3. Legal and Electronic
Discovery
• Domain 3 describes how jurisdiction, contract
law and other legal requirements play out in
the context of cloud computing.
• Sample question: In the majority of data
protection laws, when the data is transferred
to a third party custodian, who is ultimately
responsible for the security of the data?

13. Domain 4. Compliance and Audit
• Domain 4 elaborates on compliance
obligations (such as industry regulations) and
how these can be validated by audits
• Sample question: What is the most important
reason for knowing where the cloud service
provider will host the data?

14. Domain 5. Information Management
and data security
• Domain 5 gives a number of models to apply
to storage technology, as well as data life cycle
and ways of controlling information flow
across it.
• Sample question: What are the six phases of
the data security lifecycle?

15. Domain 6. Portability and
Interoperability
• Domain 6 discusses some considerations
around deploying multiple cloud solutions and
components.
• Sample question: Why is the size of data sets a
consideration in portability between cloud
service providers?

16. Domain 7. Traditional Security, BCM,
D/R
• Domain 7 elaborates on traditional data
center security, the physical side of cloud
computing so to say, including human
resources.
• Sample question: What are the four D's of
perimeter security?

17. Domain 8. Data Center Operations
• Domain 8 extends domain 7 by discussing
service management.
• Sample question: In which type of
environment is it impractical to allow the
customer to conduct their own audit, making
it important that the data center operators are
required to provide auditing for the
customers?

18. Domain 9. Incident Response
• Domain 9 elaborates on the way incident
response processes change when IT resources
interact in real-time across multiple providers
and consumers.
• Sample question: What measures could be
taken by the cloud service provider (CSP) that
might reduce the occurrence of application
level incidents?

19. Domain 10. Application Security
• Domain 10 discusses risks and control
adaptations from the application architecture
and implementation perspective.
• Sample question: how should an SDLC be
modified to address application security in a
Cloud Computing environment?

20. Domain 11.
Encryption and Key Management
• Domain 11 describes multiple encryption use
cases in cloud environments, as well as its
implications on key management
• Sample question: what is the most significant
reason that customers are advised to maintain
in-house key management?

21. Domain 12.
Identity and Access Management
• Domain 12 describes how federated identity
and access management will enable secure
cloud deployment
• Sample question: What two types of
information will cause additional regulatory
issues for all organizations if held as an aspect
of an Identity?

22. Domain 13. Virtualization
• Domain 13 describes the risks that
virtualization technology brings.
• Sample question: Why do blind spots occur in
a virtualized environment, where network-
based security controls may not be able to
monitor certain types of traffic?

23. Domain 14. Security as a Service
• Domain 14 describes opportunities and
concerns around using cloud services for
implementing security controls.
• Sample question: When deploying Security as
a Service in a highly regulated industry or
environment, what should both parties agree
on in advance and include in the SLA?

24. ENISA Document
• The ENISA document lists 35 risk categories,
mostly cloud related. Some industry
regulations specifically refer to these.
• Sample question: Economic Denial of Service
(EDOS), refers to..

25. Relation with CCM
• The Cloud Controls Matrix is a security and
compliance control framework
• Cloud specific, cross-references multiple
frameworks, including PCI-DSS, ISO 27001,
HIPAA.
• Controls match “Guidance” recommendations
closely
• Basis for STAR certification of providers

26. The CCSK exam
• The CCSK examination is a timed, multiple choice
examination you take online. The examination
consists of 60 multiple choice questions selected
randomly from our question pool, and must be
completed within 90 minutes. A participant must
correctly answer 80% of the questions to receive
a passing score. Because the exam is online, it is
open book.
• You get two tries

27. Studying for CCSK
• Study the documents
• Learn to search them
• There are only a few sample questions out
there
• Consider taking a course; most attendants
pass the test
• For practical background:
– Visit http://www.clubcloudcomputing.com
– Subscribe to membership site.

28. What do you need to get CCSK
certification?
Please use chat box now.

29. QUESTIONS?

30. Thank you for your attention
www.clubcloudcomputing.com
For more information and class
schedules