Ask the Expert

Will Certificate of Cloud Security Knowledge boost cloud security best practices?

What do you think about the Cloud Security Alliance's new certification? Is it mostly a public relations effort, or is it a worthwhile way for companies to ensure the cloud services they use are secure?

    Requires Free Membership to View

    Login

The Cloud Security Alliance (CSA) is a not-for-profit organization that promotes the use of security best practices within cloud computing. It's certainly a well-respected organization and the Cloud Security Alliance research includes the Security Guidance for Critical Areas of Focus in Cloud Computing, which many are using as a best practices manual for securing cloud computing. It's new Certificate of Cloud Security Knowledge (CCSK) is the first user certification program covering cloud computing security.

The CCSK examination is a hour-long online test and consists of 50 multiple choice questions. 70% of the questions are based on the Security Guidance for Critical Areas of Focus in Cloud Computing V2.1, 20% are on the European Network and Information Security Agency's (ENISA) whitepaper "Cloud Computing: Benefits, Risks and Recommendations for Information Security", with the remaining 10% relating to the best practices detailed in both documents. The pass mark is 80%.

Can you have total confidence that the cloud services you use are secure and robust because they've been designed and implemented by people with CCSK? Of course not. All it proves is that an individual has successfully completed an examination covering the key concepts of the CSA and ENISA guidance. It confirms someone has the knowledge, but not necessarily the practical experience of using that knowledge. What it does show is a commitment to security and that certainly allows for more confidence. Anyone with CCSK should have an understanding of cloud security issues and best practices, so hopefully basic security controls will be in place and correctly implemented.

Moving to the cloud is a significant risk management decision for any organization. Security is certainly the most significant issue holding back the adoption of cloud computing for confidential information or critical business processes. The industry certainly needs professionals who can implement cloud computing with the appropriate security controls, and training and certification are a necessary part of that process. Any certificate can give a false sense of security, but this certification, while certainly helping public relations, will help organizations when they look to recruit staff, as it will show the level of knowledge of the security threats and best practices in cloud security. The security model for cloud computing is unproven, and, because it's new, there is a lack of guidance and education. The Cloud Security Alliance is doing a god job of changing that; if you're interested in learning more about the CCSK, visit www.cloudsecurityalliance.org.

This was first published in September 2010

Join the conversationComment

Share
Comments

    Results

    Contribute to the conversation

    All fields are required. Comments will appear at the bottom of the article.
    Back to top