Perimeter
8/9/2011
02:07 PM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%
Repost This

Cloud Security Certification Not So Simple

Current pass rate of CSA's CCSK test is only 53 percent

One of my favorite guys in the business is Craig Balding, proprietor at cloudsecurity.org. He cannot update the site too frequently because he actually has a real job and a family, but if you have a chance to see him speak, don’t miss it. Craig has built some nice presentations in the past about getting your hands dirty in the cloud, which I have liked quite a bit.

There are a lot of people in the industry with a lot of opinions and “knowledge” about cloud computing and the relevant security issues, and many of these people wouldn’t know an AMI from a USB. Craig has actually encouraged folks to set up accounts at cloud providers, spin up services, and give them a go. There are not a lot of excuses to avoid this when many offer free test drives.

You may know that last September the Cloud Security Alliance we created a certificate of competency called the Certificate of Cloud Security Knowledge (CCSK). This is a Web-based test that in no way is intended to provide full user accreditation, but rather is a baseline of knowledge about the cloud computing security issues and best practices as we know them today. We see this as driving overall awareness in the industry, and we think that is a good thing. Before the test was actually released, there was at least one article written that implied it was going to be a super-simple rubber stamp, and one editor in a “Pulitzer moment” called it “easy peasy.”

We wanted to make this test moderately difficult, but as it has turned out, the exam is harder than we expected. As of this writing, the current pass rate is 53 percent. There is probably no one reason for this, and certainly every test I have taken has had some confusing questions. I am sorry that I cannot provide an answer key in this blog. But having the ability to look at test system analytics, I will tell you that there are professionals running around in our industry who are dangerous! Here are a few general areas people are having problems with:

1. Definitions of the cloud. While nearly everyone can rattle off software-as-a-service (SaaS), Pplatform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), a surprising number cannot tell you which category some very popular cloud services fall into. A lot of people don’t really understand what a community or hybrid cloud is.

2. Federated identity management. The concept of federated identities is important in the cloud, e.g., leveraging your internal LDAP directory of users to access an external SaaS application.

3. Compliance responsibility. A few questions have been answered in a way that implies many people don’t understand the shared nature of compliance between customer and provider -- you can’t just throw compliance over the wall!

4. Cloud vendor lock-in. A large number of people had problems understanding the important issues related to migrating to different cloud providers, e.g., contractual access to data, data formats, building applications in way that isolates and abstracts proprietary provider extensions, and understanding what is important for different types of clouds.

Oh, well. It's still early in the cloud, and I know my students will be much smarter next year.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-0360
Published: 2014-04-23
Memory leak in Cisco IOS before 15.1(1)SY, when IKEv2 debugging is enabled, allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCtn22376.

CVE-2012-1317
Published: 2014-04-23
The multicast implementation in Cisco IOS before 15.1(1)SY allows remote attackers to cause a denial of service (Route Processor crash) by sending packets at a high rate, aka Bug ID CSCts37717.

CVE-2012-1366
Published: 2014-04-23
Cisco IOS before 15.1(1)SY on ASR 1000 devices, when Multicast Listener Discovery (MLD) tracking is enabled for IPv6, allows remote attackers to cause a denial of service (device reload) via crafted MLD packets, aka Bug ID CSCtz28544.

CVE-2012-3062
Published: 2014-04-23
Cisco IOS before 15.1(1)SY, when Multicast Listener Discovery (MLD) snooping is enabled, allows remote attackers to cause a denial of service (CPU consumption or device crash) via MLD packets on a network that contains many IPv6 hosts, aka Bug ID CSCtr88193.

CVE-2012-3918
Published: 2014-04-23
Cisco IOS before 15.3(1)T on Cisco 2900 devices, when a VWIC2-2MFT-T1/E1 card is configured for TDM/HDLC mode, allows remote attackers to cause a denial of service (serial-interface outage) via certain Frame Relay traffic, aka Bug ID CSCub13317.

Best of the Web