Category: #IT/CYBER/TECHNOLOGY

Posted on

CCSK Certification vs AWS Certification – A Definitive Guide

I was recently asked about CCSK certification vs AWS certification and which one should be pursued by someone looking to getting into cloud security. This post tries to address the question “which cloud certification is right for you.” I’ll give you a lay of the land for both certifications, available training, the exams, and then conclude with thoughts on which certification is right for you.

Certificate of Cloud Security Knowledge (CCSK)

The Certificate of Cloud Security Knowledge (CCSK) is from a research organization called the Cloud Security Alliance (CSA). The CSA has created guidance for securing cloud services and released a recently updated version of this guidance (CSA Guidance v4). The guidance is about 150 pages and covers most of the knowledge required to successfully pass the CCSK exam (more about the exam down below).

In a nutshell, the goal of the CCSK is a vendor-neutral look at all cloud security issues that covers the three following areas of knowledge:

Cloud Computing Concepts and Architectures

It begins with answering the question “what is cloud computing,” moves on to the differences between, and other fundamental cloud knowledge.

  • Definitions
  • Service Models (SaaS, PaaS, IaaS)
  • Deployment Models (e.g. Public Cloud, Private Cloud)
  • Reference Architectures
  • Cloud Security Models

Governing in the Cloud

Like everything else, cloud security doesn’t (shouldn’t?) operate in a silo. The CCSK addresses how cloud changes governance, risk management and compliance. Other aspects of governing in the cloud include:

  • Contracts
  • Audit management
  • Information governance
  • Business continuity
  • Jurisdictional issues
  • Legal concerns

This information should be known by all individuals who are responsible for governing (and operating) cloud services, regardless of the service models being consumed in your organization.

Operating in the Cloud

Moving forward, the CCSK covers the technical components of cloud systems such as:

  • Virtualization (e.g. hypervisors, Software Defined Networks (SDN), VLAN
  • Containers
  • Incident Response
  • Application Security
  • Data Security and Encryption
  • Identity, Entitlement and Access Management
  • Security as a Service
  • Related Technologies (e.g. DevOps, Immutable Infrastructure, IoT, etc)

 CCSK Training

Should you take the training or self-study for the CCSK certification exam? That’s your call. Personally, I’m always a fan of doing training because it allows me to get away from the office and completely immerse myself in the subject at hand. I also get the opportunity to learn how things work in the “real world.”

If you prefer the self-study route, you have all the documentation you need listed below to take the exam.

If you are looking at the training route for yourself or your company, you can check out our offerings here. We offer the official and authorized CCSK in on-demand, on-line and in-person settings. We can also offer on-site training that is modified to your corporate requirements. (If you are looking for more info, a lot of these details about the CCSK can be found on Cloud Security Alliance’s website.)

All course registrants also get access to our exclusive CCSK exam prep kit that includes:

  • Immediate access to on-demand CCSK v4 course
  • CCSK exam v4 prep videos
  • Hundreds of CCSK v4 pre-test questions
  • Pre-paid token for the actual CCSK v4 exam

Note: Unfortunately, we are prohibited from offering the exam prep package as a stand-alone product.

CCSK Certification Exam

In addition to the CSA Guidance, you’ll need to read and understand CSA’s Cloud Controls Matrix (CCM), the Consensus Assessment Initiative Questionnaire (CAIQ), and finally the ENISA Cloud Computing Risk Assessment document. All documents are available from the following download links.

CCSK Exam Details

The exam itself is taken online any time you wish. There are 60 questions, and you are given 90 minutes to finish. It is an open-book exam, but don’t let that fool you – it’s a pretty tough exam, and I have seen people from various backgrounds fail.

My belief on the reason people fail the exam is because of the diverse nature of the CCSK exam itself. You’re looking at an exam that addresses both cloud operations and cloud governance. Most people will be strong in one or the other, but rarely is someone well-versed in both areas. If you’re in a technical position at work, you’ll need to focus on governance and vice versa, of course.

We have published some pre-test practice questions for exam candidates who are looking to see what they might be up against before taking the actual test. All the questions are based on the new v4 version of the CCSK exam.

Ready to get started? Download the CSA CCSK prep kit or look for upcoming training sessions near you.

Amazon Web Services (AWS Certification)

Amazon has multiple AWS and specialty certificationsavailable.

For convenience, I’m including the roadmap graphic that was on the AWS certification site below:

As you can see, there’s more to the question “CCSK or AWS Certification.” AWS has multiple streams available, but I’m going under the assumption that most people mean the AWS Certified Solutions Architect designation.

Regardless of the track or specialty, let’s make one thing extremely clear: AWS is a vendor and the complete focus will be on HOW things are done in AWS, specifically. Amazon says so themselves in their certification descriptions: “technical role-based certification.”

AWS Certified Solutions Architect – Associate

Below is the list of recommended knowledge you should have before even considering the AWS Architect – Associate exam.  I have done this exam (yes, I passed) and I wrote about my thoughts on that exam here.

  • One year of hands-on experience designing available, cost-efficient, fault-tolerant, and scalable distributed systems on AWS
  • Hands-on experience using compute, networking, storage, and database AWS services
  • Hands-on experience with AWS deployment and management services
  • Ability to identify and define technical requirements for an AWS-based application
  • Ability to identify which AWS services meet a given technical requirement
  • Knowledge of recommended best practices for building secure and reliable applications on the AWS platform
  • An understanding of the basic architectural principles of building on the AWS Cloud
  • An understanding of the AWS global infrastructure
  • An understanding of network technologies as they relate to AWS
  • An understanding of security features and tools that AWS provides and how they relate to traditional services

More information about the associate level certification from Amazon can be found here.

AWS Certified Solutions Architect – Professional

I have not taken this exam. That said, I have worked with many people who have taken and passed the professional exam. These people really know their AWS stuff. I think it is fair to say there aren’t many people who have the professional designation who just know the theory of things, but rather have years of practical hands-on experience in AWS.

In order to take the professional-level exam you must have the associate-level certification already.

Here is the list of knowledge AWS expects their professional architect holders to have:

  • Designing and deploying dynamically scalable, highly available, fault-tolerant, and reliable applications on AWS
  • Selecting appropriate AWS services to design and deploy an application based on given requirements
  • Migrating complex, multi-tier applications on AWS
  • Designing and deploying enterprise-wide scalable operations on AWS
  • Implementing cost-control strategies

In my view, you’re expected to be able to take everything you know from the associate level and apply it to enterprise scale.

More information about the professional level certification from Amazon can be found here.

AWS Training

For the AWS Architect – Associate certification, you can either take the self-study approach or attend an actual training session. Bottom line here is this is not a theory-based exam. You will need to have actually spun up server instances and have worked with AWS services before taking the actual exam.

Amazon has excellent learning collateral in their whitepapers that you should study if you are going solo. The resources they recommend are:

If you’re looking for an AWS Architect – Associate training session, the applicable course is a 3-day session called Architecting on AWS.  Their course schedule page can be found here.

The applicable AWS Architect – Professional course is the 3-day Advanced Architecting on AWScourse. The course schedule page can be found here.

AWS Certification Exam

A word to the wise. Passing the AWS Architect is all about two things:

  1. Hands-on experience, and
  2. Knowing what is covered in the exam.

As I mention in my thoughts on the AWS exam piece, buy the practice exam. Don’t even think about cheaping out on this one. Seriously. Doubly seriously if you’re doing the self-study approach.

AWS Exam Details

The AWS exam is a scaled score exam. In other words, not all questions have the same value. Easy questions are worth less than harder ones. I’m not alone when I say I hate these types of exams as you have no idea how you’re actually doing as you go through the questions. And an added bonus, Amazon states you need a “720” (out of 1,000) to pass the test, which does not mean 72 percent because the questions all have different values.

Download the AWS Certified Solutions Architect – Associate (February 2018)

Download the AWS Certified Solutions Architect – Professional exam guide.

Which Cloud Certification Is Right for You?

As we covered, the two certifications are not similar at all. The CCSK is relevant to both governance and operational security of cloud services. It is written by an independent body and is completely vendor agnostic. The AWS certifications are 100-percent technical and are specific to AWS implementations.

  • CCSK certification addresses the “what” of cloud security
  • AWS certification addresses the “how” of AWS implementations

If you are looking to understand cloud security challenges, the CCSK is right for you. If you are in management and need to understand the impact cloud services will have on your organization, the CCSK is for you. If you work in operations and need to better understand the security challenges associated with cloud in general, the CCSK is for you.

If you are working in a dedicated AWS technical position, the AWS Certified Architect is the certification you should go with. If you are working with AWS in a security capacity, you should do the CCSK first, then follow up with the vendor-specific AWS training.

From a corporate perspective, everyone involved with information technology, ranging from procurement through risk management and operations should attend the CCSK session, even if it is an accelerated 1-day “awareness” session.

About the author
Graham Thompson is a cloud security architect and delivers both CCSK and CCSP official courses as an authorized trainer for Intrinsec Security. You can reach Graham on LinkedIn or by old fashioned e-mail.

[Cloud Security Alliance Blog]

Posted on

Tech Docs: Traps Management Service Updates Are Live!

The May release of the Traps management service is now available and introduces the following key features and capabilities:

  • Traps for Android — You can now protect your Android endpoints from malware using the new Traps app for Android. To get your end users started with Traps for Android, you create a custom installation URL from the Traps management service and send it to your users. Your custom URL contains a distribution ID for your Traps management service tenant which ties the Android endpoint to your tenant. After you install Traps for Android, you can use the Traps management service to manage your Android endpoints and view details about the threats and events reported by your Android endpoints. Traps for Android is supported on Android 4.4 and later releases.

  • File Analytics — The Traps management service now provides detailed file analytics for the files that attempt to run on Windows and Mac endpoints in your organization.

  • Child Process Execution Criteria — You can now allow specific parent processes to launch child processes and optionally configure execution criteria based on command line parameters.

  • Windows Security Center Registration — You can now customize the registration behavior for Traps and the Windows Security Center.
  • Delete an Endpoint — This feature enables you to manually remove an endpoint from the Traps management service (Endpoints view) and returns its license to the license pool.

For more details on the new features, please refer to the following resources:

Happy reading!
Your friendly Technical Documentation team

Have questions? Contact us at documentation@paloaltonetworks.com.

[Palo Alto Networks Research Center]

Posted on

IS THE CISO WELL POSITIONED TO MITIGATE OPERATIONAL RISK?

by Tamer Gamali, CISSP, CISO Mashreq Bank, and member of the (ISC)² EMEA Advisory Council

Is the CISO well positioned to mitigate operational risk? (ISC)² will be asking this probing question of Security leaders at the kick-off session for Infosecurity Europe’s Leaders Programme in London next month. A round table discussion conducted under the Chatham House Rule, the session creates an opportunity to offer up frank comment and illuminate the challenges currently hampering companies from appreciating and truly gaining control of cyber risks. Infosecurity Europe’s Leaders Programme is open to CISOs and Heads of Information Security, who are the final decision-makers and budget holders for information security in end-user organisations, making this a bespoke session for those charged with managing the risks. It’s also a continuation of a discussion we started in Abu Dhabi at Infosecurity Middle East in March which proved to be very enlightening.

We had 10 participants sitting around the table in Abu Dhabi, all with CISO-level responsibilities representing government, at city and national levels, small companies and larger corporations. Overall, the group confirmed a persistent governance challenge when it comes to mitigating cyber security risk, despite the acknowledgement of a National Framework and/or documented company policy and procedures. Understanding what should be done, it seems, is proving not enough: organisations must also build in the motivation and influence across their management structure to get it done.

The group confirmed, for example, that the status of a project or its business owner, is more likely to determine whether it goes forward without sign off from the security experts, than the understood risks. In all cases, participants felt they couldn’t always put their hand up and highlight concerns, even when there was a security governance committee in place: if a project was considered critical or high -profile the chief motivation is to deliver making it likely to move ahead into production with the risks logged in a risk register. The group also revealed that increasing levels of risks logged in this way were being realized within months.

Clear lines of accountability proved to be another concern. Participants noted the existence of many consultants and recommenders, but very few approvers in the security and risk governance process. In the best-case scenario, particularly within government, a governance committee will have authority to veto acceptance of risk by a business owner, yet the veto occurring will still be determined by the criticality of the project, not necessarily the level of risk. Further, all described an unhealthy relationship with auditing grounded in the belief that auditors are biased to find something wrong rather than contribute to development, while traditional auditors lack the skill needed for cyber.

Overall the group concluded that there is no single model for security governance, including the auditing stages, but there are some intangible yet clear shortcomings that must be recognised and accepted. Ensuring the right level of influence and a healthier balance of considerations is needed. Regulators are recognising this and some, including within the UAE, are requiring the appointment of a CISO accountable for regularly updated plans within particular sectors. Clearly, greater visibility and co-ordination of the overall risk will be required if CISOs, and the organisations that appoint them are going to live up to the expectation. Frameworks, best practice and policies must be backed up by a process to document that they have been followed and best efforts made.

As a Chief Information Security Officer (CISO) based in Dubai with over 12 years working in this capacity within financial services, and a volunteer member of (ISC)²s EMEA Advisory Council, I am 
keen to help companies develop a deeper understanding of how operational risks are evolving with cyberthreats. As every company marches toward their own digital agenda, I believe that the CISO will increasingly play a strategic, not just supporting role. A well-positioned, business-aligned CISO can help align corporate priorities so that security issues can be properly addressed as companies increase their dependency on technology and, therefore, the capacity to address the risks properly.

I look forward to continuing and sharing more insights from the discussion in London, June 5 at 10:30am. To join us, qualifying Infosecurity Europe delegates must register for a Leaders Pass, which also gives them access to a Leaders Lounge and networking opportunities, in addition to the round tables. Learn more, and register to join us.

[(ISC)² Blog]

Posted on

Cloud Security Alliance Announces FedSTAR, a New Joint Certification System with FedRAMP

Seattle, WA– May 14, 2018 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, today announces that it has partnered with the Federal Risk and Authorization Management Program (FedRAMP), at the U.S. General Services Administration (GSA). The two programs will work together to develop FedSTAR that offers mutual recognition between the two security programs based on a common framework for deployment, use and maintenance.

“FedRAMP and CSA’s STAR are among the most used cloud certifications world-wide, however, because they are deployed separately and incompatible, cloud service providers (CSP) spend valuable resources in duplicating efforts to comply with both systems,” said Kate Lewin, Federal Director, Cloud Security Alliance.

“Complying with multiple systems is not only confusing, costly and ineffective, but acts as a barrier to market entry for smaller companies. That’s about to change with the development of FedSTAR. Now, CSPs will be able to earn two certifications with one audit, saving both time and money,” she added.

Cloud service providers are in desperate need of tools they can use to analyze and assess their security posture, as well as use to conduct continuous monitoring. FedSTAR will provide processes and methodologies that allow CSPs to stop replicating steps that are common between FedRAMP and STAR. This collaboration will demonstrate the effectiveness and efficiency of joint efforts with the U.S. Government and industry to reduce compliance burdens on private-sector companies.

CSA and the GSA have agreed to establish a working group to begin work on bridging the gaps. The group will engage independent, third-party assessor companies to conduct a gap analysis between STAR and FedRAMP controls.

Further, the working group will seek input from all stakeholders, including cloud service providers, the security community (CISOs, risk managers) and Federal government as it sets out to determine which processes and procedures from each system can be recognized and accepted by both, including the Independent Third-Party Assessors certification processes, documentation format, and standards for mutual acceptance. Individuals and organizations interested in participating in the working group are invited to contact Katie Lewin, Federal Director, CSA.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security- specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem.

Media Contact

Kari Walker for the CSA
ZAG Communications
703.928.9996
kari@zagcommunications.com

[Cloud Security Alliance Research News]

Posted on

The Impact of Net Neutrality on Cloud Computing

The US Federal Communications Commission (FCC) recently repealed the net neutrality guidelines that it implemented less than three years ago. There has been much discussion, speculation and concern about how that move will impact the Internet, small business and consumers. Many people have suggested that one effect of the repeal will be that video streaming and other cloud hosted, web-delivered media will start to cost much more for the consumer.

It became unlawful for broadband providers to decide to slow down or block certain web traffic when the 2015 regulations were enacted by the FCC. Actually, the 2015 rules did not incorporate enterprise web access, which is often custom. They did, however, safeguard the flow of data to small businesses.

FCC chair Ajit Pai and other lawmakers take the position that the policies and practices of net neutrality are unnecessary rules which make it less likely that people will invest in broadband networks, placing an unfair strain on internet service providers (ISPs). That perspective does not seem to be aligned with that of the public, according to a poll from the University of Maryland showing that 83% of voters favored keeping the net neutrality rules in place.

What is net neutrality, exactly?
The basic notion behind the concept of net neutrality, according to a report by Don Sheppard in IT World Canada, is that the government should ensure that both all bits of data and all information providers are treated in the same way.

Net neutrality makes it illegal to have paid priority traffic, throttle, block, or perform similar tasks (see below).

Sheppard noted that there are two basic technical principles related to internet standards that are part of the basis for net neutrality:

  • End-to-end principle – Functions related to applications should not take place at intermediate nodes but instead at endpoints within networks used for general purposes.
  • Best efforts delivery – There can be no performance guarantee but instead a demand for best efforts for equal, nondiscriminatory packet delivery.

IoT: harder for startups to compete?
Growth of the Internet of Things (IoT) is closely connected to the expansion of cloud computing – since the former standard uses the latter as its backend. In terms of impact on the IoT, Nick Brown noted in IOT For All that the repeal of net neutrality will result in an uneven playing field in which it will become more difficult for smaller organizations, while larger firms will be able to form tighter relationships with ISPs.

The issue of greater latency is key to the removal of net neutrality, because latency could arise as sites are throttled (decelerated). The reason that throttling would occur between one device and another is that ISPs may want some devices (perhaps ones they build themselves) to have better performance than others.

Some people think the impact of the net neutrality repeal on the IoT will be relatively minor. However, many thought leaders think there will be a significant effect since IoT devices rely so heavily on real-time analysis.

Entering a pay-to-play era
Throttling, or slowing throughput, could occur with video streaming services and other sites. Individual cloud services could be throttled. Enterprises could have difficulty with apps that they host in their own data centers, too, since those apps require a fast internet connection to function as well.

There will be a pay-to-play scenario for web traffic instead of just using bandwidth to set prices, according to Forrester infrastructure analyst Sophia Vargas.

There is competition between wired and wireless services that has resulted from changes to their pricing models following the repeal of net neutrality, said Vargas. The pricing is per bandwidth for wired, landline services, while it is per data for wireless services. Wireless services will have the most difficulty because wired services are controlled by a smaller number of ISPs.

There will be more negotiations and volatility in the wireless than in the wired market, noted Vargas. Competition is occurring “in the ability for enterprises to essentially own or get more dedicated [wired] circuits for themselves to guarantee the quality of service on the backend,” she added.

Does net neutrality really matter?
The extent to which people are committing themselves to one side or the other gives a sense of how critical net neutrality is from a political, commercial and technical perspective. A consumer should be aware of the potential for companies to mistreat them without these protections in place (which is not to say those abuses will occur).

Ways that ISPs could perform in a manner that go against the precepts of net neutrality are:

  • Throttling – Some services or sites could be treated with slower or faster speeds.
  • Blocking – Getting to the services or sites of competitors to the ISP could become impossible because those sites are blocked.
  • Paid prioritization – Certain websites, such as social media powerhouses, could pay to get better performance (in reliability and speed) than is granted to competitors that may not have the same capital to influence the ISP.
  • Cross-subsidization – This process occurs when a provider offers discounted or free access to additional services.
  • Redirection – Web traffic is sent from a user’s intended site to a competitor’s site.

Rethinking mobile apps
Another aspect of technology that will need to be rethought in the post-repeal world is improving efficiency by developing less resource-intensive mobile apps that are delivered through more geographically distributed infrastructure. Local caching could also help, and delivery of apps that serve video and images should potentially be restructured.

You can already look at file size to create better balance in the way you deliver video and images to mobile users. However, the rendering, quantity that is stream-loaded (to avoid additional pings), and other aspects are optimized with net neutrality as a given.

Providers of content delivery networks (CDNs) will need to re-strategize the methods they use to optimize enterprise traffic.

Cost has been relatively controlled in the past, according to Vargas. There is an arena of performance management and wireless area network (WAN) optimization software that was created to manage speed and reliability for data centers and mobile. Those applications will no longer work correctly because they were engineered with traffic equality as a defining principle. Hence, providers will have to adapt to meet the guidelines of the new paradigm.

Marty Puranik, CEO, Atlantic.Net

[ISACA Now Blog]

English
English
Exit mobile version