It's no wonder that cloud computing is currently enjoying sunny days. The cloud's internet-based, anytime-anywhere access model has taken the business world by storm over the last decade, enabling flexible enterprise solutions which can easily be scaled to meet changing business priorities and project requirements.
For example, cloud computing provides the power behind these very successful IT service models:
Software as a Service (SaaS) offers cloud-hosted applications which can be accessed by nearly any internet client.
Platform as a Service (PaaS) provides application developers with a full cloud-based development environment that doesn't require dedicated platform maintenance.
Infrastructure as a Service (IaaS) replaces a business's traditional server room with a more manageable IT infrastructure based on virtual servers, workstations, and networks.
As the use of cloud computing has grown, so has the need for robust cloud security solutions. The cloud's defining characteristic of anytime-anywhere, internet-based access is a source of great convenience, but it is also a point of vulnerability. The more ways a network resource can be accessed, the more at risk it is from tampering by idle hands.
Cloud security risks
Cloud computing can be loosely split into private clouds and public clouds. Private clouds are typically self-financed using the resources (and for the benefit) of a single organization. Both capital-intensive and structurally isolated, private clouds that are not meticulously planned and managed can be highly vulnerable to attack.
Hackers and cyberthieves have done their best to make private clouds seem like the online equivalent of a sketchy neighborhood — notorious for crimes like identity theft, online fraud, website hacking, cyberbullying, and trafficking of illegal digital materials.
Public clouds are built and managed by corporate software providers who assume all infrastructure and maintenance costs. Access is sometimes free, often connected to a user-specific service (iTunes, for example), and sometimes fee-based. Public clouds can be just as vulnerable to hackers and online scam artists, but they also present other security challenges related to global regulatory, compliance, and privacy standards.
While geofencing — the practice of blocking internet users from accessing certain online sites and services based outside the country the user lives in — is still commonly used by businesses, users have become more savvy at jumping over these geofences. This places an extra burden on some corporations to ensure their public cloud offerings meet with different international laws dealing with ecommerce, data storage, and user privacy.
Finally, there is the growing phenomenon known as Internet of Things (IoT). The number of smart devices which connect to each other, and then to a cloud-based service on the internet, is growing exponentially. Many of these devices are designed to operate autonomously, doing their work in the background.
The potential security risks inherent with IoT devices are worrying to think about. For example, one current high profile technology — self-driving vehicles — simply cannot have vulnerabilities which can be exploited by malicious individuals.
The CCSP certification
IT/IS security training and certification has been in high demand for several years now. There is a developing employer trend, however, toward having more specialized security experts who match up with specific technologies and job roles. Cloud computing security is no exception to this trend.
Enter the Certified Cloud Security Professional (CCSP) credential from (ISC)2, the same international tech association behind the popular and well-respected Certified Information Systems Security Professional (CISSP) certification. The CCSP certification offers cloud security professionals an industry credential that validates their specialized knowledge and skills.
CCSP certification details
According to (ISC)�, the CCSP certification is aimed at mid-level IT professionals who have a minimum of five years of full-time IT experience, with at least three of those years working with information security, and one year working with a specific cloud computing security.
In fact, these experience guidelines are more than just recommendations: they are a prerequisite for qualifying for the CCSP credential.
Candidates for the CCSP are often associated with the following job roles:
- Security Administrator; Security Engineer; Security Manager
- Systems Engineer; Systems Architect
- Enterprise Architect; Enterprise Security Administrator
(ISC)2 collaborated with Cloud Security Alliance, another international nonprofit IT security association, when it was developing the CCSP credential. IT professionals who have earned the CSA's Certificate of Cloud Security Knowledge can apply it as the one year of cloud security experience required for CCSP qualification.
The CCSP certification exam is a worthy challenge for cybersecurity professionals. The exam consists of 125 multiple-choice questions, for which candidates get four hours to complete. The passing score is 700 out of a possible 1,000 points.
These are the knowledge domains covered by the CCSP exam:
- Architectural Concepts and Design Requirements
- Cloud Data Security
- Cloud Platform and Infrastructure Security
- Cloud Application Security
- Legal and Compliance
The CCSP exam is offered through Pearson VUE test centers, and is currently only offered in English.
Once a candidate has passed the CCSP exam, they must complete the (ISC)2 endorsement application. This involves having a current (ISC)2 certified professional confirm that the candidate has the necessary professional experience. There is a workaround if the candidate doesn't know an incumbent (ISC)2 certified professional.
The CCSP certification is valid for three years after it is awarded. CCSP holders must recertify by earning Continuing Professional Education (CPE) credits as outlined by (ISC)2, as well as paying an annual maintenance fee.
There are several (ISC)2-sponsored training and exam preparation options available for the CCSP certification exam. The self-study options include a dedicated textbook, The Official (ISC)2 Guide to the CCSP CBK. (CBK stands for Common Body of Knowledge.) An outline of the CCSP exam can also be requested through the (ISC)2 website.
Dedicated CCSP training can be taken via instructor-led classroom courses, live or on-demand online courses, or even private onsite training for those with the means to arrange it. The (ISC)2 website has full details of these different CCSP training options.
Seeding the cloud with security
The CCSP is a fairly new industry credential, and one that is expected to gain traction and recognition in the IT workplace the near future. Cloud security has become a well-established cybersecurity specialization, and based on the number of results "cloud security" generates on major job sites, hiring managers are definitely looking for professionals who have the relevant knowledge and skills.
IT/IS security pros should expect to see the CCSP certification from (ISC)2 develop into a valuable, well-recognized credential in the very near future.