Creating tools to support Cloud Service Providers (CSPs) transparency and assurance
Thanks to the support of our peer reviewers and contributors (including the EU projects SPECS, A4Cloud and CUMULUS), we are pleased to announce the release of the CSA Cloud Trust Protocol (CTP) data model and API specification.
The Cloud Trust Protocol (CTP) is designed to be a mechanism by which cloud service customers can ask for and receive information related to the security of the services they use in the cloud, promoting transparency and trust.
A prototype implementation of the CTP API will be released as open source by mid-December 2015. This will allow us to validate and fine-tune the CTP API in a set of concrete use-cases. CTP peer reviewers will be provided early access to the CTP code repository.
The Cloud Security Alliance is a partner in the EU FP7 SPECS project.
About the SPECS project
The SPECS project aims at developing and implementing an open source framework to offer Security-as-a-Service, by relying on the notion of security parameters specified in Service Level Agreements (SLA), and also providing the techniques to systematically manage their life-cycle.
“Shadow IT,” or solutions not specified or deployed by the IT department, now account for 35 percent of enterprise applications. Research shows an increase in IT shadow spend with numbers projected to grow another 20 percent by the end of 2015.
Experts agree that shadow IT is here to stay, particularly the growing tendency to use cloud services for collaboration, storage and customer relationship management.
Enterprise organizations can’t afford to bypass the productivity and profitability that comes with a happy and enabled mobile workforce. However, the utilization of SaaS that IT has not vetted and approved may expose regulated or protected personal data, which a business is responsible for remediating.
California leads the way in the privacy arena with the Security Breach Notification Law and Online Privacy Protection Act. The Federal Trade Commission is the primary U.S. enforcer of national privacy laws, with other national and state agencies authorized to enforce additional privacy laws in vertical industries such as banking and health care.
Sanctions and remedies for non-compliance with FTC data protection laws include penalties of up to US $16,000 for each offense. The FTC can also obtain an injunction, restitution to consumers, and repayment of investigation and prosecution costs. Criminal penalties include imprisonment for up to ten years. In 2006, a data broker agreed to pay US $15 million to settle charges filed by the FTC for failing to adequately protect the data of millions of consumers. Settlements with government agencies can also include onerous reporting requirements, audits and monitoring by third-parties. A major retailer that settled charges of failing to adequately protect customer’s credit card numbers agreed to allow comprehensive audits of its data security system for 20 years.
So, what is the answer? How do you start to get a handle on shadow IT?
Ask.
Ask employees which cloud services they are using. You might also need to utilize a combination of automated and manual discovery tools to get a complete picture of what programs employees are using and what data is hosted and shared in provider clouds. These “cloud consumption” dashboards can monitor and assess cloud usage and detect encryption tools at each host.
Protect your data.
Implement automatic backup of all endpoint data in the enterprise to capture a real-time view of where employee data lives, when and where it moves and who has touched it—even as it moves to and from non-approved clouds.
Act fast when the inevitable happens.
The reality is a breach may be inevitable, but you can recover. With continuous and automatic endpoint backup, IT can quickly evaluate the content of files believed to have been breached and act in good faith to lessen the impact. Additionally, understanding what was stolen allows a company to make an accurate disclosure and manage consumer confidence issues.
For CIOs and IT staff accustomed to maintaining complete control over their digital ecosystems, relinquishing even a bit of this control can be terrifying—even in the name of productivity. And yet, with a security strategy that focuses on complete data visibility, they can empower mobile workers while minimizing the risks associated with the dark side of shadow IT.
Rachel Holdgrafer, Business Content Editor, Code42
The Incident Management and Forensics Working Group today released its “Cloud Forensics Capability Maturity Model”, a new research report that describes a Capability Maturity Model (CMM) that can be used by both cloud consumers and Cloud Service Providers (CSPs) in assessing their process maturity for conducting digital forensic investigations in the cloud environment.
Even the most capable enterprise cannot avoid data breaches entirely. As such, there is a rising need for enterprises to adopt mature forensic security processes. This need will rise at least at the speed at which adversaries improve their attack strategies and techniques. This situation is even more complex in the world of cloud computing. Only with close cooperation between the cloud consumer (who has given up some control) and the CSP (who has inherited it) can adequate, timely and accurate forensic analysis occur.
The target audience for this paper is enterprise users that deal with all aspects
(technical and organizational) of their forensic processes, and that plan to or have
already integrated cloud IaaS services into their IT infrastructure. The starting point for the model was the Carnegie Mellon University Software Engineering Institute’s (SEI) “Software Process Maturity Framework” which identifies five progressive levels of process maturity.
CSA’s Incident Management and Forensics Working Group today released its “Cloud Forensics Capability Maturity Model”, a new research report that describes a Capability Maturity Model (CMM) that can be used by both cloud consumers and Cloud Service Providers (CSPs) in assessing their process maturity for conducting digital forensic investigations in the cloud environment.
Even the most capable enterprise cannot avoid data breaches entirely. As such, there is a rising need for enterprises to adopt mature forensic security processes. This need will rise at least at the speed at which adversaries improve their attack strategies and techniques. This situation is even more complex in the world of cloud computing. Only with close cooperation between the cloud consumer (who has given up some control) and the CSP (who has inherited it) can adequate, timely and accurate forensic analysis occur.
The target audience for this paper is enterprise users that deal with all aspects (technical and organizational) of their forensic processes, and that plan to or have already integrated cloud IaaS services into their IT infrastructure. The starting point for the model was the Carnegie Mellon University Software Engineering Institute’s (SEI) “Software Process Maturity Framework” which identifies five progressive levels of process maturity:
LEVEL
SEI Capability
Forensics Question
1
Initial
How are we ever going to do this?
2
Repeatable
Have we done this before?
3
Defined
What is our process for doing this?
4
Managed
What resources did this require?
5
Optimizing
How can we do this better?
The report provides detailed guidance for each question via scenario planning and recommended process mapping.
Numerous surveys have shown that Cloud Security is THE biggest concern for Cloud adoption. The Cloud Security Alliance led by Jim Reavis has been at the forefront of raising awareness of Cloud Security. The main activities of CSA have been around Cloud Security research and education.
CCSP: Thanks to CSA, I was part of the joint CSA and ISC2 team that developed the CCSP certification.
So here goes!
Aren’t CCSK and CCSP competing certifications?
Short answer…not really!
Both certifications have been developed with different objectives. CCSK is a certification that really tests the “knowledge” aspect of Cloud Security. As the certification title so clearly mentions, it is a certificate of cloud security KNOWLEDGE. It tests the knowledge of three key documents viz. the CSA Guidance, the CSA Cloud Control Matrix and the ENISA report.
On the other hand, CCSP tests not just the knowledge but also practical experience of the professional. It does not restrict itself to these two documents but goes into other traditional areas of information security that are relevant to Cloud Security. It also imposes stringent experience requirements of 5 years for those who would like to obtain the certification. The word PROFESSIONAL in the certification title suggests that this is a much more in-depth and experience driven credential.
As Jim Reavis correctly pointed out CCSK and CCSP really complement each other. In my opinion, attaining the CCSK credential prepares one for the more stringent CCSP certification.
What are the key differences between CCSK and CCSP?
The key differences between the two certifications are listed below: 1. Body of Knowledge
CCSK: The body of knowledge required to obtain CCSK certification is largely limited to three documents viz. CSA Guidance, CSA Cloud Control Matrix and ENISA document.Check out the CCSK preparation guide for more information.
CCSP: The body of knowledge required to obtain CCSP is vast and in addition to the above two documents covers numerous knowledge sources. Further, it also has an “applied knowledge” angle to the examination that tests the professional’s practical application of the knowledge she possesses.
2. Experience requirements
CCSK: CCSK has no experience requirements. Any individual who would like to obtain CCSK can do so after studying the two key documents and then passing the objective type exam.
CCSP: CCSP has stringent experience requirements that makes it clear that this certification is for experienced professionals with hands on experience in cloud AND traditional information security. The experience level required for CCSP is “minimum of 5 years of full-time, paid, cumulative information technology, including at least 3 years of information security and 1 year of cloud computing“. The CCSP certification also recognizes the value of CCSK and has a provision that CCSK can be substituted for one year of experience in one of the six domains of the CCSP CBK.
3. Examination items
CCSK: Due to its focus on testing knowledge, CCSK is more of an objective-type of exam with multiple choices. Most exam items are based on information in the 3 documents viz. CSA Guidance, CSA Cloud Control Matrix and ENISA document.
CCSP: Due to its focus on testing both book and experiential knowledge, expect the exam items to be both objective and problem solving type of questions with scenarios. Those who have achieved CISSP certification would be able to relate to this type of testing.
4. Exam delivery
CCSK: CCSK can be attempted through a browser from anywhere after obtaining an exam token from CSA. In fact, CSA generously offers two attempts at the exam when you register.
CCSK: The CCSK examination costs US$345.00. This entitles you to attempt the test up to two times. If necessary, additional test attempts can be purchased for US$345.00 each.
CCSP: The exam costs US$549 per attempt.
6. Certification Maintenance
CCSK: CCSK does not have any requirements to maintain the certification as of now. There is no provision for paying Annual Maintenance Fees or submitting CPEs
CCSP: As with all ISC2 certifications, CCSP requires Annual Maintenance Fees of US$100 per year, earn 90 CPEs, with a minimum of 30 each year.
Which certification should I go for? Which one will be more valuable as a professional?
It really depends on the circumstances of each individual.
If you are new to Cloud Security, it would be preferable to go in for CCSK first and then attempt CCSP after gaining requisite knowledge. CCSP also provides a pathway for those with less experience to attempt the CCSP exam and then obtain the certification after necessary experience requirements are met. This is similar to the mechanism that is in place for CISSP.
On the other hand, if you are an experienced IT security professional with enough exposure to Cloud Security, you could directly go for CCSP. A person with CCSP certification means that she is not just knowledgeable about Cloud Security but has practical experience in the subject. However, if you are not very sure of your knowledge of Cloud Security, it would be best to first attempt CCSK before taking of CCSP.
Summary
CCSK and CCSP complement each other and provide professionals a way to demonstrate their competency level in Cloud Security. When deciding which certification to go for, it is important to first evaluate your current competency and experience level. As mentioned earlier, with its focus on testing knowledge based on select documents, the open book approach to the exam and its objective type multiple choice question format, CCSK would be a great way to start the certification journey in Cloud Security.
However, if you are the hardened IT security professional with loads of knowledge and experience, with full knowledge security aspects as they now relate to the Cloud, CCSP would be the way to go.
(Keith Prabhu, Executive Director, Confidis has over 18 years of experience in the IT domain. He holds various security credentials viz. CISA, CISSP, MBCI and CCSK. He is also the Chairman of Cloud Security Alliance, India RCB. He has been actively involved in creating Cloud Security certifications like CCSK and CCSP. He works at the intersection of business and technology and has provided several organizations with security advice that focuses on meeting business objectives.)