Perimeter
8/9/2011
02:07 PM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud Security Certification Not So Simple

Current pass rate of CSA's CCSK test is only 53 percent

One of my favorite guys in the business is Craig Balding, proprietor at cloudsecurity.org. He cannot update the site too frequently because he actually has a real job and a family, but if you have a chance to see him speak, don’t miss it. Craig has built some nice presentations in the past about getting your hands dirty in the cloud, which I have liked quite a bit.

There are a lot of people in the industry with a lot of opinions and “knowledge” about cloud computing and the relevant security issues, and many of these people wouldn’t know an AMI from a USB. Craig has actually encouraged folks to set up accounts at cloud providers, spin up services, and give them a go. There are not a lot of excuses to avoid this when many offer free test drives.

You may know that last September the Cloud Security Alliance we created a certificate of competency called the Certificate of Cloud Security Knowledge (CCSK). This is a Web-based test that in no way is intended to provide full user accreditation, but rather is a baseline of knowledge about the cloud computing security issues and best practices as we know them today. We see this as driving overall awareness in the industry, and we think that is a good thing. Before the test was actually released, there was at least one article written that implied it was going to be a super-simple rubber stamp, and one editor in a “Pulitzer moment” called it “easy peasy.”

We wanted to make this test moderately difficult, but as it has turned out, the exam is harder than we expected. As of this writing, the current pass rate is 53 percent. There is probably no one reason for this, and certainly every test I have taken has had some confusing questions. I am sorry that I cannot provide an answer key in this blog. But having the ability to look at test system analytics, I will tell you that there are professionals running around in our industry who are dangerous! Here are a few general areas people are having problems with:

1. Definitions of the cloud. While nearly everyone can rattle off software-as-a-service (SaaS), Pplatform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), a surprising number cannot tell you which category some very popular cloud services fall into. A lot of people don’t really understand what a community or hybrid cloud is.

2. Federated identity management. The concept of federated identities is important in the cloud, e.g., leveraging your internal LDAP directory of users to access an external SaaS application.

3. Compliance responsibility. A few questions have been answered in a way that implies many people don’t understand the shared nature of compliance between customer and provider -- you can’t just throw compliance over the wall!

4. Cloud vendor lock-in. A large number of people had problems understanding the important issues related to migrating to different cloud providers, e.g., contractual access to data, data formats, building applications in way that isolates and abstracts proprietary provider extensions, and understanding what is important for different types of clouds.

Oh, well. It's still early in the cloud, and I know my students will be much smarter next year.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Title Partner’s Role in Perimeter Security
Title Partner’s Role in Perimeter Security
Considering how prevalent third-party attacks are, we need to ask hard questions about how partners and suppliers are safeguarding systems and data.
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.