Insight Into CCSK Certification
Though perhaps not as prominent as the widely known Certified Information Systems Auditor (CISA) and Certified Information Systems Security Professional (CISSP) certifications, the Certificate of Cloud Security Knowledge (CCSK) can also be helpful to cybersecurity professionals.
I hadn’t heard of CCSK until I started with Schellman, but since they supported me in my interest in obtaining more credentials to expand my knowledge base and career opportunities, I went for this one after considering my options among the hundreds of certifications available to those of us in the industry.
In this article, I’m going to provide some insight into this certification, including details on the 14 domains that cover most of the exam. I successfully obtained CCSK certification, and after reading this, you should be able to do the same.
What is CCSK?
These days, many organizations are working in some capacity in the cloud, regardless of which industry they’re in—that’s likely due to the many benefits of cloud computing, including:
- Enhanced scalability
- Reduced maintenance requirements
- Reduced costs
- Pay-as-you-go model
- Increasing or decreasing resources, depending on demand
More data in the cloud means more cybersecurity concerns, and that’s where CCSK comes in. Offered by the Cloud Security Alliance (CSA), the CCSK provides candidates effective practices for protecting data in the cloud. More relevant than ever, CCSK can help professionals better understand critical facets regarding cloud computing, including:
- The inimitable challenges presented by the cloud
- Best practices to promote secure cloud environments
- How cloud architectures should be planned and applied appropriately
As it’s recognized in the industry as a standard for cloud-security expertise, should you successfully pass the exam and become certified, not only will you have a certification, you will:
- Boost your professional credibility as you’ll have proved your proficiency in cloud security.
- Demonstrate that you’re better prepared for engagements, projects, or roles involving cloud security management practices, consultancy, and risk assessment.
What are the CCSK Domains?
But to do that, you’ll of course need to pass. During the CCSK exam, you’re provided three study materials and must answer 60 open-book questions in 90 minutes.
Questions regarding “Security Guidance for Critical Areas of Focus in Cloud Computing v4.0” makes up most of the exam material, of which there are 14 domains:
|
1) Cloud Computing Concepts and Architecture |
Defines cloud computing at its most fundamental level and makes use of related architectural frameworks, including descriptions of important cloud computing properties, as well as pertinent service and deployment approaches. |
|
2) Governance and Enterprise Risk Management |
Addresses the effect that cloud computing has on how an entire organization is run. |
|
3) Legal Issues, Contracts, and Electronic Discovery |
Tackles the legal repercussions that businesses must consider when switching to the cloud. The chapter demonstrates various legal systems that differ according to jurisdictional location. |
|
4) Compliance and Audit Management |
Explores processes of audit management and compliance frameworks that are industry-specific to provide an understanding of compliance in cloud environments. |
|
5) Information Governance |
Concentrates on the protection of data in cloud environments, including the implementation of data governance frameworks as well as the classification of data, data retention, and data-loss prevention. |
|
6) Management Plane and Business Continuity |
Emphasizes the management and administration-level tools and best practices for using the cloud, including those for data provisioning and de-provisioning, monitoring and logging, and lifecycle management. |
|
7) Infrastructure Security |
Details how organizations can secure networks, tools, and servers through segmentation and intrusion detection systems (IDS). |
|
8) Virtualization and Containers |
Defines virtualization along with the usage of containers and hypervisors and how they can be integral to an organization. |
|
9) Incident Response |
Speaks to the incident response lifecycle, from detection/response techniques to incident handling. |
|
10) Application Security |
Highlights control functions that organizations can use in the cloud to secure their cloud environments. |
|
11) Data Security and Encryption |
Covers data security controls and how organizations can protect data when it is at rest, in motion, and in use within the cloud. |
|
12) Identity, Entitlement, and Access Management |
Outlines how identity and access management (IAM)—including measures such as single sign-on (SSO) solutions and other authentication mechanisms—are important to ensuring security within the cloud. |
|
13) Security as a Service |
Addresses security services that are provided by third-party providers and Cloud Security Providers (CSPs). |
|
14) Related Technologies |
Touches upon the relevant technologies like Big Data, Internet of Things, and how the cloud factors in. |
What Will You Learn During the CCSK Exam?
If these 14 domains make up about 85% of the exam, guidance from ENISA and CCM account for the remaining 15%:
- European Union Agency for Cybersecurity (ENISA): The advice and tools offered by ENISA provide into the broader landscape of cybersecurity, particularly on a global scale, including cloud security issues.
- CSA’s Cloud Controls Matrix (CCM): An integral tool for organizations looking to assess security controls implemented by cloud service providers (CSPs) before engaging with their services.
Below are a few highlighted details that you’ll learn and study during the CCSK exam (categorized by CSA domain guidance):
| Domain |
Relevant Details |
|---|---|
|
Domain 1 Cloud Computing Concepts and Architectures
|
3 Types of Service Models:
4 Types of Deployment Models:
4 Levels of the Logical Model (from bottom to top layer):
|
|
Domain 3 Legal Issues, Contracts, and Electronic Discovery |
2 Roles of Data Handlers Data Controller: Responsible for the collection/processing of the data Data Processor: Processes the data on behalf of the data controller |
|
Domain 5 Information Governance |
6 Phases of the Data Security Lifecycle:
|
|
Domain 6 Management Plane and Business Continuity |
The Metastructure Level
|
|
Domain 7 Infrastructure Security |
Of the multiple types of compute abstraction types, the most common are:
|
|
Domain 9 Incident Response |
The 4 Phases of the Incident Response Lifecycle:
|
|
Domain 14 Related Technologies |
Big Data is classified by the “3 Vs”:
|
Possessing expertise in all these areas—the 14 domains within CSA’s Security Guidance together with knowledge of ENISA and CCM—and passing the exam will demonstrate to your (potential) employers and clients alike that you have a thorough understanding of the basics of cloud security and understand how to effectively deploy cloud knowledge regardless of vendor.
Moving Forward with Your CCSK Certification
In my personal opinion, CCSK is a great baseline certification for anyone looking to start building their professional development. It offers potential growth in everything related to the cloud—including the design, implementation, and management of secure cloud environments—as well as the relevant security processes.
By becoming certified in CCSK, professionals will not only be better prepared to handle the ongoing challenges presented by the adaptable and rapidly expanding cloud security field, but they’ll also be better qualified to enjoy all that cloud computing has to offer.
If you’re still not sure if CCSK is right for you, make sure to check out our other articles that can provide valuable insight into different cybersecurity courses or certifications you may be considering: