New Cloud Security Certification
Cloud security certification is getting a new dimension. At the RSA conference earlier this month the Cloud Security Alliance (CSA) and (ISC)² announced a new cloud security certification: Certified Cloud Security Professional, or CCSP for short.
(ISC)² is most famous for its flagship certification: Certified Information Systems Security Professional or CISSP. More than 100,000 professionals maintain this certification and it is widely recognized. The Cloud Security Alliance pioneered the cloud security field a few years ago, and runs the CCSK (Certificate of Cloud Security Knowledge) programme.
The CCSP body of knowledge covers 6 domains:
- Architectural Concepts and Design Requirements
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Operations
- Legal and Compliance
CCSP is supposed to be a more extensive certification than CCSK. It has a more formal exam and a requirement for five years in IT of which three years must be spent in security and one year in cloud computing. On top of that, similar to CISSP, there is a requirement to uphold the certification by earning CPE (continuing professional education) points.
It is a sign of a maturing industry that these two forces are combining their best practices. Cloud computing has left the pioneering stage, and there are currently multiple cloud providers that count their yearly revenue in the billions of dollars.
“Many enterprises have told us that cloud computing is becoming their primary IT system,” says Jim Reavis, CEO of the Cloud Security Alliance. “An effective cloud security strategy and architecture adds several nuances to traditional security best practices; which is why it’s critical to accelerate efforts to address the cloud security skills gap. CCSP helps to set the highest standard for cloud security expertise. The program we have developed with (ISC)² creates strong incentives for information security professionals to obtain both the CCSK and CCSP, which will create a workforce of experts who possess a mastery of the broadest cloud security body of knowledge.”
While (ISC)² coming to the game underlines the relevance and maturity of cloud security, there will be some questions left for people who either have or are pursuing CCSK certification. (Disclaimer: I am an active CCSK trainer, and I wrote one of the chapters of the CCSP study guide.)
According to the founding fathers of CCSP, both certifications will co-exist. The (ISC)² website states: “The typical cloud security professional will likely achieve the CCSK first, and then the CCSP credential. Attainment of the CCSK can also be substituted for the one year of cloud security experience”
Other text on the website suggests that CCSK can be seen as somewhat of a broad base, on top of which CCSP is built as a more extensive certification. However, in my experience as a CCSK trainer, even though CCSK is a good introduction into cloud security, it is not shallow. It takes a few days of dedicated training and study to pass the exam.
So is there any sense in still going for CCSK, or should you wait for CCSP to become available? To answer that question you first need to consider why you would want to take the training and the certification. If you want to collect badges, you might want to attain both certifications. If you need to address cloud security in your job right now, it makes sense to do CCSK soon. Participants in my CCSK training report that it helps them now in their day jobs, even more so if they take it as a team. Looking at the CCSP release schedules gives the impression that general availability of training is still at least months away. On the other hand, if you are already very knowledgeable and experienced in cloud and cloud security, CCSK may not add much to your current business value other than public recognition.
By Peter Hj van Eijk
