Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/9/2011
02:07 PM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud Security Certification Not So Simple

Current pass rate of CSA's CCSK test is only 53 percent

One of my favorite guys in the business is Craig Balding, proprietor at cloudsecurity.org. He cannot update the site too frequently because he actually has a real job and a family, but if you have a chance to see him speak, don’t miss it. Craig has built some nice presentations in the past about getting your hands dirty in the cloud, which I have liked quite a bit.

There are a lot of people in the industry with a lot of opinions and “knowledge” about cloud computing and the relevant security issues, and many of these people wouldn’t know an AMI from a USB. Craig has actually encouraged folks to set up accounts at cloud providers, spin up services, and give them a go. There are not a lot of excuses to avoid this when many offer free test drives.

You may know that last September the Cloud Security Alliance we created a certificate of competency called the Certificate of Cloud Security Knowledge (CCSK). This is a Web-based test that in no way is intended to provide full user accreditation, but rather is a baseline of knowledge about the cloud computing security issues and best practices as we know them today. We see this as driving overall awareness in the industry, and we think that is a good thing. Before the test was actually released, there was at least one article written that implied it was going to be a super-simple rubber stamp, and one editor in a “Pulitzer moment” called it “easy peasy.”

We wanted to make this test moderately difficult, but as it has turned out, the exam is harder than we expected. As of this writing, the current pass rate is 53 percent. There is probably no one reason for this, and certainly every test I have taken has had some confusing questions. I am sorry that I cannot provide an answer key in this blog. But having the ability to look at test system analytics, I will tell you that there are professionals running around in our industry who are dangerous! Here are a few general areas people are having problems with:

1. Definitions of the cloud. While nearly everyone can rattle off software-as-a-service (SaaS), Pplatform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), a surprising number cannot tell you which category some very popular cloud services fall into. A lot of people don’t really understand what a community or hybrid cloud is.

2. Federated identity management. The concept of federated identities is important in the cloud, e.g., leveraging your internal LDAP directory of users to access an external SaaS application.

3. Compliance responsibility. A few questions have been answered in a way that implies many people don’t understand the shared nature of compliance between customer and provider -- you can’t just throw compliance over the wall!

4. Cloud vendor lock-in. A large number of people had problems understanding the important issues related to migrating to different cloud providers, e.g., contractual access to data, data formats, building applications in way that isolates and abstracts proprietary provider extensions, and understanding what is important for different types of clouds.

Oh, well. It's still early in the cloud, and I know my students will be much smarter next year.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4662
PUBLISHED: 2020-08-14
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...