Cloud computing security is a topic of increasing interest to IT professionals . Understanding it requires a strong knowledge of both cloud computing and security.
The Cloud Security Alliance’s Certificate of Cloud Security Knowledge (CCSK) is designed to assess knowledge of IT as a Service security. Passing a certification test is always a challenge, since you can never be sure whether there will be trick questions, what topics will be covered, etc.
As someone who had the same worries and is now certified, let me offer you some useful tips. This information is based on the test I passed on April 16, 2012, so it’s up to date.
I can’t tell you the questions I was asked—in any case, you may not have the same ones—but I’ll give you advice that helped me. Then it’s up to you!
important documents (in theory)
Theoretically, it is important to review these four documents (in order of decreasing importance):
- Cloud Security Alliance: "Security Guidance for Critical Areas of Focus in Cloud Computing Version 2.1”
- European Network and Information Security Agency (ENISA): “Cloud Computing Security Risk Assessment”
- National Institute of Standards and Technology (NIST): “The NIST Definition of Cloud Computing”
- Jericho Forum: “Cloud Cube Model: Selecting Cloud Formations for Secure Collaboration”
important documents (in practice)
If you only have time to read one thing, it should be the Cloud Security Alliance document, which is essential for the test. The “Domain 5 – Information Lifecycle Management” chapter is key—I had quite a few questions about it on the test.
You should also read at least the executive summary of the ENISA document. As for the other two, a quick read-through should suffice.
Of course, the amount of time you need to spend reading the documents depends on your familiarity with the subject matter. I dream about this stuff at night, so I was able to skim over certain areas .
types of questions
The test consists of 50 multiple-choice questions, each with only one correct answer (at least when I took the exam, thank goodness ).
The most difficult ones are based on the Cloud Security Alliance document (although those covering “Domain 5 – Information Lifecycle Management” were not too difficult). The questions referring to the other documents are identified as such, so it’s clear where to find the answers—the test is pretty straightforward.
For sample questions, check out at the CCSK certification page on the Cloud Security Alliance website.
registration and scoring
You can register and take the test online ($295 for two tries) at any time. The Web interface is easy to use; I didn’t have any problems during my test.
To be CCSK certified, you must correctly answer at least 40 out of 50 questions (80% accuracy) in less than an hour.
Overall, the questions are relatively difficult. But the questions on the ENISA document weren’t too hard, and you can consult the documents during the test (the “find” bar is quite useful). The questions on the NIST and Jericho Forum documents weren’t too challenging either.
using the documents: helpful but not sufficient
Although you are allowed to search the documents, you only have an hour to answer 50 questions. That’s a little more than a minute per question (72 seconds to be exact). That’s not much time, so if you try to just search the documents, you’re likely to have problems. And of course, you can’t pause the test once it has started—that would be too easy.
But the “find” bar can come in handy for questions on the ENISA document. It’s also reassuring to have “Domain 5 – Information Lifecycle Management" from the Cloud Security Alliance guide on hand. But consulting the documents is not enough, at least in my experience.
Of course, being certified does not necessarily mean you’re an expert. I've interviewed CISSP-certified candidates who couldn’t clearly explain the principles of a document signature with asymmetric keys.
what’s not in the documents
I had to answer a few questions (two or three) on the security of the Amazon EC2 service. So I encourage you to read (among other things) “Amazon Web Services: Risk and Compliance” and to look at this “Using Security Groups” page.
Although I got questions about Amazon EC2, it’s entirely possible that you will have questions about other services. Your profession and experience will obviously play a key role here. If you work in cloud security and are a curious person by nature, passing the CCSK test shouldn’t be too difficult.
the pot of gold at the end
At the end of 60 minutes you’ll get your score immediately. If everything goes well, you can download your diploma in PDF or HTML format.
You’ll be able to see your success rate in each area (Applied, Domains 1-10 and ENISA), but not which questions you answered incorrectly. I made two mistakes (one in “Domain 3 – Legal and eDiscovery” and another in “Domain 4 – Compliance and Audit”).
Getting certified is not that simple. According to DarkReading's “Cloud Security Certification Not So Simple” (August 9, 2011), only 53% of test takers manage to get the diploma. The article’s author, Jim Reavis, lists four primary topics to study, and I had questions on them during my test.
If you work in cloud security, getting CCSK certified can benefit both you and your employer. If you know the field, you just need to refresh a bit (and concentrate for an hour). In my case, the idea came to me at the office on a Monday morning. I said to myself, “I can do this!” One hour later I had my diploma.
Jean-Francois (aka Jeff)
This post was originally published in French here.
image © niakc10 - Fotolia.com
Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens