Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/9/2011
02:07 PM
Jim Reavis
Jim Reavis
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cloud Security Certification Not So Simple

Current pass rate of CSA's CCSK test is only 53 percent

One of my favorite guys in the business is Craig Balding, proprietor at cloudsecurity.org. He cannot update the site too frequently because he actually has a real job and a family, but if you have a chance to see him speak, don’t miss it. Craig has built some nice presentations in the past about getting your hands dirty in the cloud, which I have liked quite a bit.

There are a lot of people in the industry with a lot of opinions and “knowledge” about cloud computing and the relevant security issues, and many of these people wouldn’t know an AMI from a USB. Craig has actually encouraged folks to set up accounts at cloud providers, spin up services, and give them a go. There are not a lot of excuses to avoid this when many offer free test drives.

You may know that last September the Cloud Security Alliance we created a certificate of competency called the Certificate of Cloud Security Knowledge (CCSK). This is a Web-based test that in no way is intended to provide full user accreditation, but rather is a baseline of knowledge about the cloud computing security issues and best practices as we know them today. We see this as driving overall awareness in the industry, and we think that is a good thing. Before the test was actually released, there was at least one article written that implied it was going to be a super-simple rubber stamp, and one editor in a “Pulitzer moment” called it “easy peasy.”

We wanted to make this test moderately difficult, but as it has turned out, the exam is harder than we expected. As of this writing, the current pass rate is 53 percent. There is probably no one reason for this, and certainly every test I have taken has had some confusing questions. I am sorry that I cannot provide an answer key in this blog. But having the ability to look at test system analytics, I will tell you that there are professionals running around in our industry who are dangerous! Here are a few general areas people are having problems with:

1. Definitions of the cloud. While nearly everyone can rattle off software-as-a-service (SaaS), Pplatform-as-a-service (PaaS), and infrastructure-as-a-service (IaaS), a surprising number cannot tell you which category some very popular cloud services fall into. A lot of people don’t really understand what a community or hybrid cloud is.

2. Federated identity management. The concept of federated identities is important in the cloud, e.g., leveraging your internal LDAP directory of users to access an external SaaS application.

3. Compliance responsibility. A few questions have been answered in a way that implies many people don’t understand the shared nature of compliance between customer and provider -- you can’t just throw compliance over the wall!

4. Cloud vendor lock-in. A large number of people had problems understanding the important issues related to migrating to different cloud providers, e.g., contractual access to data, data formats, building applications in way that isolates and abstracts proprietary provider extensions, and understanding what is important for different types of clouds.

Oh, well. It's still early in the cloud, and I know my students will be much smarter next year.

Jim Reavis is the executive director of the Cloud Security Alliance, and president of Reavis Consulting Group.

Jim Reavis is the President of Reavis Consulting Group LLC, where he advises organizations on how to take advantage of the latest security trends. Jim has served as an international board member of the Information Systems Security Association and was co-founder of the ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24119
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
CVE-2020-27833
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...
CVE-2021-22866
PUBLISHED: 2021-05-14
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App o...
CVE-2021-27737
PUBLISHED: 2021-05-14
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
CVE-2021-32054
PUBLISHED: 2021-05-14
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser.