2020-09-15
As I had been planning to do since earlier this year, on August 31st I took and passed the Certificate of Cloud Security Knowledge (CCSKv4) exam. Thinking I’d put my experience to good use and inform potential test takers on the pros and cons of the certificate, I’ve decided to summarize my preparation process, the material, and the exam itself. More importantly, I’d like to try to answer the fundamental question: is the CCSK worth it?
To begin let’s summarize the objectives and target users for this exam. The exam is designed to highlight the most pressing vendor-neutral security considerations for cloud use. It covers private and hybrid cloud deployments, but it’s especially focused on public cloud deployments. This includes the usual suspects: AWS, Azure, GCP, IBM Cloud, etc. as well as more targeted providers such as Salesforce or Tenable Nessus. Of course, being vendor-neutral it doesn’t mention any specific brands or services, but the covered domains apply to all well-known deployment models and service providers.
Being vendor-neutral and introductory by nature, it covers high-level concepts across a variety of security and governance domains. This includes, among other things, non-technical topics such as legal considerations, compliance, and information governance as well as more technical concepts such as virtualization, containerization, application security, and SecDevOps. The chief objective of this exam is to ensure that its test-takers understand a wide variety of cloud security concepts. Passing this exam will not give you the deep technical understanding required to migrate an enterprise to the cloud, but it will give you the ability to understand the benefits and costs of doing so. Ideally, it will also give you the skills needed to communicate these costs and benefits to non-technical personnel and management.
The exam is designed for early-career IT professionals and, in my opinion, could be considered the cloud security equivalent of the CompTIA Security+. In fact, I believe that it is an excellent addition to the Security+ and would consider the knowledge obtained during that certification process a prerequisite to obtaining the CCSK. Given that information, let’s discuss how I prepared for the exam.
My preparation process was actually quite simple. The Cloud Security Alliance is very direct about what information is covered on the exam and the sources used for that information. The only exam preparation material I used were the three source documents they derive the information from - CSA’s Security Guidance for Critical Areas of Focus in Cloud Computing v4.0, ENISA’s Cloud Computing: Benefits, Risks, and Recommendations for Information Security, and CSA's Cloud Controls Matrix v3.0.1.
I read each document twice all the way through and personally felt very prepared after doing so. The documents are pretty comprehensive and tend to drive home the same points over and over, which may be tedious for some, but really helped me retain the information. You are allowed to refer to the documents during the test, but I felt no need to do so. Also worth noting that I actually do have work experience with the cloud, both on the customer and provider side.
The exam consists of 60 multiple-choice questions and is 90 minutes long. As far as difficulty goes, it’s certainly easier than the most recent iteration of the CompTIA Security+ exam (which I passed in February). CSA explicitly defines how many questions are included for each domain, so if you’re on a time crunch you could focus on the more tested domains. The exam requires a score of 80% to pass, which is reasonable given that it was open-book. According to CSA, the pass rate of the exam is 62% (i.e. only 62% of test takers pass the exam). With the preparation noted above, I got a score of 91%.
Is the CCSK worth it? I’d say yes. The security considerations for cloud environments are in many ways the same as on-premise, but there are lots of concerns that differ greatly and aren’t necessarily intuitive. The material supplements a more traditional view of security and will become increasingly important as more and more IT operations move to the cloud. It also improves a young professional’s career prospects (or at least I'd hope!). Aside from the time investment and exam fee, I see little downside to any young professional pursuing this certification. As with all certifications, you’ll get out of it what you put into it, but I can confidently say that I benefitted from the process.
As always, feedback is greatly appreciated. If you have any questions or comments, feel free to email me at me@infosecmatt.com.