Cloud Security Certification LaunchedDesigned to Measure Advanced Competence
See Also: Rethinking Endpoint Security
The new certification, known as Certified Cloud Security Professional, or CCSP, is designed as an international standard for professional-level knowledge of the design, implementation and management of cloud environments.
(ISC)Â², also known as the International Information Systems Security Certification Consortium, and CSA developed CSSP to help meet a need for cloud security professionals that have the required knowledge and skills to audit, assess and secure cloud infrastructures.
"The industry needs qualified IT professionals who understand how cloud services must be securely implemented and managed," says Hong Kong-based Clayton Jones, managing director-Asia Pacific, at (ISC)2.
(ISC)2's Global Information Security Workforce Study determined that 73 percent of nearly 14,000 respondents believed that cloud computing will require information security professionals to develop new skills. Cloud computing was also the top area of infosec with growing demand for education and training within the next three years.
"CCSP is for professionals in cloud security roles accountable for protecting enterprise architectures," says Singapore-based Aloysius Cheang, managing director-APAC, at the Cloud Security Alliance. "Specialized skills will be required to close the gap between increasing cloud adoption and high levels of security concerns."
The 2015 Cloud Security Spotlight study by CSA found that security is the biggest perceived barrier to cloud adoption. Nine out of 10 organizations surveyed were concerned about public cloud security. "This is due to lack of skills in handling cloud security risks," Cheang says.
Validating Security Skills
The new certification validates practical know-how skills for professionals whose day-to-day responsibilities involve cloud security architecture, design, operations and service orchestration, Jones and Cheang say. CCSP builds upon existing certifications and education programs, including (ISC)Â²'s Certified Information Systems Security Professional, of CISSP, and CSA's Certificate of Cloud Security Knowledge, or CCSK.
"The objective is to create incentives for infosec professionals to obtain CCSK and CCSP, creating a workforce with mastery over the broadest cloud security body of knowledge," Cheang says.
To apply for the new CCSP exam, applicants must have a minimum of five years' experience in IT, of which three must be in information security and one in cloud computing.
All candidates must demonstrate capabilities in each of the six domains:
- Architectural concepts and design requirements;
- Cloud data security;
- Cloud platform and infrastructure security;
- Cloud application security;
- Operations; and
- Legal and compliance.
The CCSP exam will be available at PearsonVUE testing centers worldwide beginning July 21. Training seminars begin June 8 in the U.S and will be launched in the Asia-Pacific region in the third quarter of the year.
"The cloud certification program will help security-focused professionals align themselves with emerging security paradigms in cloud environments," says Singapore-based Siddharth Deshpande, principal analyst at Gartner.
Gartner's 2015 CIO Agenda survey revealed that 64 percent of organizations in Asia Pacific and Japan will either consider cloud-based "infrastructure as a service" as a first option or a serious option when considering new infrastructure projects, while 61 percent would consider "software as a service."
What Differentiates This Credential?
(ISC)2 and CSA acknowledge other cloud-related certifications are available, but they contend that most are vendor-specific and address information security nominally at a theoretical level. "The differentiator is CCSP and CCSK are vendor-neutral, reflecting overall industry best practices," Cheang says.
"CCSP focuses on assessment and reflects knowledge more than is required to pass an exam," Jones contends.
Delhi-based Vinayak Godse, senior director-data protection of Data Security Council of India (DSCI), says the new credential "is targeted at building individual capability to address cloud security tasks, helping enterprises build a strong cloud governance structure."
Deshpande says enterprises' security architects or application and infrastructure heads, as well as technical specialists from cloud service providers, could use the certification to help develop their careers.
John Lim, president of the Singapore chapter of ISACA, says cloud security is essentially a subset of cybersecurity, although there is much overlap.
"CCSP's focused on imparting practical knowledge which directly addresses the dearth of practical skills in the industry," Lim says. But he's concerned about how the certification will keep pace with rapid changes in the cyber world.
Jones of (ISC)2 responds: "As organizations replace traditional IT architectures with cloud models, cloud expertise will move from 'nice to have' to 'must have.' Besides, there's an urgent need for qualified cloud security professionals to lead a thorough evaluation, thus helping organizations responsibly take advantage of cloud services."