Cloud Security Knowledge Sharing By Guy-Bertrand Kamga

To promote a Secure Cloud-Based Digital Transformation

Tag: CCSP Guide

Dealing with Shared Responsibility Model in public Cloud

Cloud computing radically changes the way computing services are provided and consumed, both cloud service providers and cloud service customers need to adapt themselves to this new information technology service delivery model.

On one hand, for public cloud services, customers must rent resources (e.g. software or applications, platforms, servers, etc.) running on platforms owned and operated by external service providers. Cloud customers generally pay for the services proportionally to their consumptions (known as pay as you go billing or pricing model), and they can automatically scale (horizontally or vertically) based on their needs. These are only few of numerous benefits of public clouds.

On the other hand, public clouds are shared platforms between several customers (including competitors, hackers, criminal organizations, etc.). That’s why, since the beginning of the 1st public cloud service offering launched by Amazon Web Services (AWS) in 2006, security and compliance risks are always among the top barriers for public cloud adoption.

When it comes to security in the public cloud, one of the main concept to understand, is the Shared Responsibility Model‍.

I released on Peerlyst (web comunity of security professionals), a series of 3 posts focusing on the shared responsibility in public cloud.

In the first post, you will learn some tips that can help to understand how the security responsibility is shared between the Cloud Service Provider (CSP) and the Cloud Service Customer (CSC), and how a cloud customer should consider this aspect during the definition and implementation of its cloud security strategy‍.

In the second post of the series, I provided some tips‍ that can be helpful for a CSC to have a detailed view of the shared responsibility in public cloud. I particularly highlighted how much a clear understanding of the chain of responsibility at CSP and CSC sides is important, as well as the key role of a cloud security RACI matrix.

In that second post, I also briefly introduced a Cloud Responsibility Checklist which can help a CSC to evaluate to what extend its security responsibilities in a public cloud are under control.

In the third and last post of the series, I proposed a process that can be used by a CSC to keep control of the shared responsibility model in public cloud. This process includes the following 3 main steps:

  • Clarification of the responsibility scope
  • Identification and agreement on the responsibility delimitation with the CSP & partners
  • Evaluation of the alignment to the CSC’s cloud strategy

This process can help a CSC to not only ensure that it understands and takes care of its responsibilities in the cloud, but also to make sure that the CSP, as well as all involved partners have formally agreed with the CSC on their scope of responsibility.

7 steps to become a CCSP (Certified Cloud Security Professional)

If you are in one of the following situations:

  • looking for a new IT Security Certification
  • looking for a way to challenge your Cloud Security knowledge and expertise
  • looking for a vendor-neutral Cloud Security Certification
  • planning to pass the CCSP but don’t know what effort it requires

Learn in this article how to get the CCSP certification, one of the highest cloud security certification recognized in the industry.

1) Start by learning some facts about the CCSP

The below table lists the number of CCSP vs CISSP in OECD countries as of Jan 1, 2018.

Number of CCSP vs CISSP in OECD Countries as of Jan 1, 2018

The number of CCSP for all countries can be found in this (ISC)2 website.

2) Check the CCSP‘s pre-requisites or requirements

CCSP requires 5 years of cumulative, paid and full-time work experience in IT, including 3 years in information security and 1 year in one or more of 6 domains of CCSP Common Body of Knowledge (CBK).

CCSP CBK

CCSP Common Body of Knowledge (CBK)

Important: earning the CSA’s CCSK (Certificate of Cloud Security Knowledge) can be substituted for one year of experience in one or more of the six domains of the CCSP CBK. Earning the (ISC)2 CISSP (Certified Information Systems Security Professional) can be substituted to the whole CCSP’s experience requirements.

3) Review the potential CCSP’s benefits

  • Instant credibility and differentiation (earn trust from your clients or senior leadership)
  • Unique recognition (highest standard for cloud security expertise)
  • Staying ahead (keep you current on evolving technologies, new threats and new mitigation strategies)
  • Versatility (vendor-neutral, valuable across a variety of different cloud platforms)
  • Career advancement (e.g. moving from internal subject matter expert to more strategic roles)

4) Check if the CCSP is appropriate for you

Ideal candidates for CCSP are generally people working (or planning to work) with cloud technologies as:

  • Systems Engineer
  • Systems Architect
  • Enterprise Architecture
  • Security Engineer
  • Security Analyst
  • Security Architecture
  • Security Consultant
  • Security Administrator
  • Security Manager

5) Select the right training format

Several training formats are available to prepare for CCSP. Depending on your level of cloud security knowledge and funding capabilities, one of the following formats can be selected:

  • In-person training seminars (classroom based training or private on-site training), 5 full days (40 hours)
  • Online training seminars (instructor-led or self-paced training), 2 to 3 months (2 to 5 hours per week)
  • Self-study using the (ISC)2 CCSP official study guide book available on Amazon’s e-commerce site and covering 100% of CCSP exam objectives.

The self-paced online training or self-study requires less budget and gives more flexibility to CCSP candidates, but they are appropriate for candidates already having enough experience on the 6 domains of CCSP CBK.

A training seminar with an instructor would be appropriate for those having less experience on the 6 domains of CCSP CBK.

Whatever the selected training format, several additional study tools are available for free on the (ISC)2 website.

6) Schedule for the exam

When you are ready, you must schedule your exam in a Pearson Vue testing center.

CCSP exam has the same structure as CISSP exam but with less number of questions and duration:

  • Duration: 4 hours
  • Number of questions: 125
  • Question format: Multiple choice
  • Passing grade: 700 out of 1000 points
  • Available language: English

7) Maintain the CCSP

To maintain the CCSP certification, you need to:

  • Abide by the (ISC)² Code of Ethics
  • Earn and post 30 Continuing Professional Education (CPE) credits per year
  • Pay your Annual Maintenance Fee (AMF), USD$100 per year

Additional information to prepare for the CCSP can be found on the (ISC)2 website.