Are you curious on how to succeed with the CCSK exam from the Cloud Security Alliance? Here we are explaining everything you need to know.
It has been a long time since I first started working with cloud services. I began my first project on AWS in 2010, building the infrastructure for the online presence of a Swiss newspaper. Aside from virtual machines, this included load balancers, auto scaling groups, security groups, databases and some other services. Since then I’ve also spent some time on GCP and played a bit with the initial usage Azure offers for free.
However, I had never looked at security in the cloud from a more general and systematic perspective.
Looking for ways to fill that gap I found the “Cloud and Security Architecture” course from Peter HJ van Eijk to address my needs. The course serves as preparation for the CCSK Exam from the Cloud Security Alliance (CSA). After booking that course, I got access to an e-learning platform and joined five interactive live sessions.
The CCSK exam is structured into 14 domains:
- Cloud Computing Concepts and Architectures
- Governance and Enterprise Risk Management
- Legal Issues, Contracts and Electronic Discovery
- Compliance and Audit Management
- Information Governance
- Management Plane and Business Continuity
- Infrastructure Security
- Virtualization and Containers
- Incident Response
- Application Security
- Data Security and Encryption
- Identity, Entitlement and Access Management
- Security as a Service
- Related Technologies
The course does not follow that order, for a good reason: it makes sense to first ensure that the basic concepts and technologies the cloud builds upon are understood. For example, domains 2 to 4 are covered in the 3rd sessions and not at the beginning.
Having already been familiar with the basic cloud concepts and tools, the first part did not contain much news for me. But it is a very good introduction to give you just the right amount of information in order to see the big picture and enables you to start the journey.
Besides getting a good overview, I also learned new things. For example, I learned where the idea “The right to audit” comes from and that an important part is often omitted. Peter explains that in a publicly available video:
While discussing the domain “Application Security”, I learned what the abbreviations DAST (Dynamic Application Security Testing) and SAST (Static Application Security Testing) mean. Again, the concepts behind these acronyms were not completely new to me. But the course helped me understand what role they play today for application security especially with modern cloud architectures.
During the course, sample questions are discussed. Of course these are not the original questions from the CCSK exam. Still, they helped me get a feel for the style of the questions. Strategies to answer the exam questions are also discussed and exercised. This is not only helpful for the CCSK exam but for many other certification exams we have in the IT industry.
After attending this online course, I spent a few hours thoroughly reading and understanding the full “CSA Security Guidance” document and going through the ENISA Recommendations for secure cloud adoption. With that, I was perfectly prepared and I passed the exam on the first attempt. It should also possible to pass the exam without a course. But the course is a fast track for your learning and helps a lot in keeping the right focus.
I can highly recommend this course and the CCSK certification to engineers, project leaders or managers that are working in a modern IT environment. Cloud based IT services are omnipresent today and the importance of security is only increasing.