Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/9/2011
02:07 PM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud Security Certification Not So Simple

Current pass rate of CSA's CCSK test is only 53 percent

One of my favorite guys in the business is Craig Balding, proprietor at cloudsecurity.org. He cannot update the site too frequently because he actually has a real job and a family, but if you have a chance to see him speak, don’t miss it. Craig has built some nice presentations in the past about getting your hands dirty in the cloud, which I have liked quite a bit.

There are a lot of people in the industry with a lot of opinions and “knowledge” about cloud computing and the relevant security issues, and many of these people wouldn’t know an AMI from a USB. Craig has actually encouraged folks to set up accounts at cloud providers, spin up services, and give them a go. There are not a lot of excuses to avoid this when many offer free test drives.

You may know that last September the Cloud Security Alliance we created a certificate of competency called the Certificate of Cloud Security Knowledge (CCSK). This is a Web-based test that in no way is intended to provide full user accreditation, but rather is a baseline of knowledge about the cloud computing security issues and best practices as we know them today. We see this as driving overall awareness in the industry, and we think that is a good thing. Before the test was actually released, there was at least one article written that implied it was going to be a super-simple rubber stamp, and one editor in a “Pulitzer moment” called it “easy peasy.”

We wanted to make this test moderately difficult, but as it has turned out, the exam is harder than we expected. As of this writing, the current pass rate is 53 percent. There is probably no one reason for this, and certainly every test I have taken has had some confusing questions. I am sorry that I cannot provide an answer key in this blog. But having the ability to look at test system analytics, I will tell you that there are professionals running around in our industry who are dangerous! Here are a few general areas people are having problems with:

1. Definitions of the cloud. While nearly everyone can rattle off software-as-a-service (SaaS), Pplatform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), a surprising number cannot tell you which category some very popular cloud services fall into. A lot of people don’t really understand what a community or hybrid cloud is.

2. Federated identity management. The concept of federated identities is important in the cloud, e.g., leveraging your internal LDAP directory of users to access an external SaaS application.

3. Compliance responsibility. A few questions have been answered in a way that implies many people don’t understand the shared nature of compliance between customer and provider -- you can’t just throw compliance over the wall!

4. Cloud vendor lock-in. A large number of people had problems understanding the important issues related to migrating to different cloud providers, e.g., contractual access to data, data formats, building applications in way that isolates and abstracts proprietary provider extensions, and understanding what is important for different types of clouds.

Oh, well. It's still early in the cloud, and I know my students will be much smarter next year.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
6 Small-Business Password Managers
Curtis Franklin Jr., Senior Editor at Dark Reading,  11/8/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprise
Assessing Cybersecurity Risk in Today's Enterprise
Security leaders are struggling to understand their organizations risk exposure. While many are confident in their security strategies and processes, theyre also more concerned than ever about getting breached. Download this report today and get insights on how today's enterprises assess and perceive the risks they face in 2019!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2011-5271
PUBLISHED: 2019-11-12
Pacemaker before 1.1.6 configure script creates temporary files insecurely
CVE-2014-3599
PUBLISHED: 2019-11-12
HornetQ REST is vulnerable to XML External Entity due to insecure configuration of RestEasy
CVE-2014-7143
PUBLISHED: 2019-11-12
Python Twisted 14.0 trustRoot is not respected in HTTP client
CVE-2018-18819
PUBLISHED: 2019-11-12
A vulnerability in the web conference chat component of MiCollab, versions 7.3 PR6 (7.3.0.601) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP2 (8.0.2.202), and MiVoice Business Express versions 7.3 PR3 (7.3.1.302) and earlier, and 8.0 (8.0.0.40) through 8.0 SP2 FP1 (8.0.2.202), could allow creat...
CVE-2019-18658
PUBLISHED: 2019-11-12
In Helm 2.x before 2.15.2, commands that deal with loading a chart as a directory or packaging a chart provide an opportunity for a maliciously designed chart to include sensitive content such as /etc/passwd, or to execute a denial of service (DoS) via a special file such as /dev/urandom, via symlin...