Cloud computing is changing everything. More than ever before organizations are utilizing cloud technology to capitalize on its speed, scale and economics. The cloud is transforming IT and affecting nearly every other area of industry. CompTIA’s Fifth Annual Trends in Cloud Computing report, released last year, estimates that 90 percent of U.S. businesses use some form of cloud technology.
This society-wide aggressive move to cloud computing has created a hybrid environment combining traditional in-house IT infrastructure with cloud-based solutions and services. Of course, as with any transformational technology, there are accompanying risks. One of the biggest of these risks is maintaining the security of an organization’s infrastructure and data.
To help address the security risks of cloud computing (ISC)² and Cloud Security Alliance (CSA) recently released a new credential, the Certified Cloud Security Professional (CCSP) certification. CertMag recently exchanged emails with David Shearer, Executive Director of (ISC)², to learn more about CCSP and its potential to protect an organization’s cloud based services.
Q: How did (ISC)² determine that there was a need for a new cert? What were the factors that got the ball rolling on the CCSP?
David Shearer: (ISC)² recognized rapid the growth of cloud solutions and services through our global membership and (our) foundation’s research. We were also monitoring the industry respected work of the Cloud Security Alliance (CSA) regarding their research and the Certificate of Cloud Security Knowledge (CCSK).
In April 2013, (ISC)² and the Cloud Security Alliance entered into a partnership to build a cloud certification, and since 2013, there’s been increasing validation of a market need for a cloud certification. For example, according to the 2015 (ISC)² Global Information Security Workforce Study, 73 percent of respondents believe that cloud computing will require information security professionals to develop new skills. Further, 70 percent of respondents believe that a cloud security certification program would be at least somewhat relevant to them. Cloud computing was identified as the top area of information security with growing a demand for education and training within the next three years.
Q: What is contributing to the rapid growth and change in cloud computing? Why?
DS: The cloud provides multiple business and consumer benefits, many of which relate to business agility and cost of ownership.
The growing adoption of cloud services will increase the demand for security professionals who can apply the proper controls to public, private, community and hybrid cloud models. Also, cloud service providers, organizations adopting cloud services and professional service firms assisting with cloud management and implementation will all need qualified cloud professionals. As organizations augment and in some cases replace traditional in-house IT architectures with cloud-based solutions and services, cloud expertise will move from a “nice to have” capability to a “must have.”
Q: What are some of the challenges unique to cloud security?
DS: Addressing secure integration among in-house and cloud-based information systems is critical to assuring no degradation to an organization’s security posture as a result of leveraging cloud-based solutions and services. Systems integration that includes clouds solutions requires consideration of secure system interfaces; Identity and Access Management (IAM); shared incident management strategies; data encryption considerations (i.e., during transmission and at rest).
Cloud solutions and services are increasingly being leveraged by IT and business units. Consequently, cloud solutions and services must integrate with in-house IT infrastructure, information systems and data assets. Information technology professionals who understand how cloud services can be securely implemented and managed within their organization’s IT and business strategy are essential.
Q: What makes the CCSP cert so special?
DS: (ISC)² and the Cloud Security Alliance (CSA) have developed a cloud security credential that defines the qualifications and experience level necessary to secure cloud services. The Certified Cloud Security Professional (CCSP) validates that professionals have met the highest standard for cloud security expertise, so they can benefit from the power of cloud computing while keeping sensitive data secure.
Q: What exactly is the difference between the CCSP and the CCSK?
DS: Professionals whose job requirements include a heavy involvement with cloud security should pursue both the CCSK and CCSP. The CCSK is an excellent indicator of baseline cloud security knowledge. It is appropriate for a wide range of IT professionals, including those in governance and compliance and even some non-IT professionals. The CCSP credential is intended for professionals who are heavily involved in cloud security via roles that are accountable for protecting enterprise architectures.
Q: How did (ISC)² and Cloud Security Alliance decide to partner on the new certification?
DS: (ISC)² and the Cloud Security Alliance recognized their areas of strength and saw the opportunity for a joint initiative to build a cloud certification that would complement the Certificate of Cloud Security Knowledge.
There is demand among (ISC)² members and the information security industry for a global, vendor-neutral, advanced cloud security professional certification. Cloud computing has emerged as a critical topic area within IT that requires further security considerations. As the largest not-for-profit membership body of certified information security professionals worldwide, (ISC)² recognizes that security must be addressed within cloud computing in order for the IT and information security fields to thrive in the future.
Q: What did each party bring to the table?
DS: CSA has very strong research capabilities and is respected throughout the cloud community. (ISC)² has a strong reputation and ability for development cybersecurity related certifications and corresponding education. Both are world-renowned, respected organizations among the information security and cloud computing industries, respectively. They have converged their industry expertise to offer a vendor-neutral, advanced cloud security professional certification. Both have extensive and comprehensive bodies of knowledge developed by global subject matter experts that address cloud security.
CSA is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud—from providers and customers, to governments, entrepreneurs and the assurance industry—and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the "Security Guidance for Critical Areas of Focus in Cloud Computing", the "Cloud Controls Matrix", "Top Threats to Cloud Computing" and 50 other cloud security research artifacts.
The heads of both organizations also spoke to this topic in more detail in a video that is available on the (ISC)² YouTube Channel.
Q: How long does it take to develop a new certification, and what’s involved in that process?
DS: The length varies among certifications and circumstances. Developing a professional credential is a long-term process that requires detailed planning, precision and analytical processes. International industry subject matter experts and luminaries are assembled to work through a well-defined process in accordance with ISO/IEC 17024:2012.
Q: Describe the vetting process. How does (ISC)² determine whether a new certification program will actually provide certified individuals with the skills that they need to deliver effective, efficient solutions in the workplace?
DS: As a Certification Body, defined by ISO/IEC 17024:2012, (ISC)² follows a rigorous process that requires us to:
• Define what it is we examine (the competencies).
• Establish the associated knowledge, skills and personal attributes.
• Develop an independent examination.
• Ensure the examination is a valid test of competence where competency is typically described as “the demonstrated ability to apply knowledge, skills and attributes”.
(ISC)² does not introduce any certification until we are confident that it meets the full needs of our professional communities and is in accordance with ISO/IEC 17024:2012.
Q: Does (ISC)² have training materials and instruction available for those wishing to pursue CCSP right away?
DS: The CCSP exam outline, is a useful self-study aid. It provides an overview of each domain and a list of key knowledge areas in each of the domains, as well as a list of references to aid candidates in studying the domains in depth. The electronic version of the Official Guide to the (ISC)² CCSP CBK textbook will be available at a later date. The (ISC)² Training Courses for the CCSP will be available starting June 8, 2015 in the United States.
Q: Are there any authorized partners developing training and instruction materials?
DS: All (ISC)² Official Training Providers use the authorized content that is developed by (ISC)² for their classes.